diff --git a/.gitignore b/.gitignore index 570e1bc..573eb37 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.48.tar.bz2 +SOURCES/scap-security-guide-0.1.50.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 21a0c5b..d7de47e 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -a8f9874a8f1df4c66e45daa6fa6c41d1ac8df934 SOURCES/scap-security-guide-0.1.48.tar.bz2 +1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index d26c4b2..80b2a96 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -8,8 +8,6 @@ Also disable tables for profiles that are not built. --- rhel8/CMakeLists.txt | 2 -- rhel8/profiles/cjis.profile | 2 +- - rhel8/profiles/cui.profile | 2 +- - rhel8/profiles/hipaa.profile | 2 +- rhel8/profiles/rhelh-stig.profile | 2 +- rhel8/profiles/rhelh-vpp.profile | 2 +- rhel8/profiles/rht-ccp.profile | 2 +- @@ -40,26 +38,6 @@ index 05ea9cdd6..9c55ac5b1 100644 title: 'Criminal Justice Information Services (CJIS) Security Policy' -diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile -index eb62252a4..e8f369708 100644 ---- a/rhel8/profiles/cui.profile -+++ b/rhel8/profiles/cui.profile -@@ -1,4 +1,4 @@ --documentation_complete: true -+documentation_complete: false - - title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - -diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index 8d20f9019..d641b56fe 100644 ---- a/rhel8/profiles/hipaa.profile -+++ b/rhel8/profiles/hipaa.profile -@@ -1,4 +1,4 @@ --documentation_complete: True -+documentation_complete: false - - title: 'Health Insurance Portability and Accountability Act (HIPAA)' - diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile index 1efca5f44..c3d0b0964 100644 --- a/rhel8/profiles/rhelh-stig.profile diff --git a/SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch b/SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch deleted file mode 100644 index 6ebcb93..0000000 --- a/SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 3c7332c8245fe3f356557619f59a9218a50e7dfa Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 11 Feb 2020 13:53:46 +0100 -Subject: [PATCH] Add CCE identifier for openssh-server installed - ---- - .../guide/services/ssh/package_openssh-server_installed/rule.yml | 1 + - 2 files changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -index ba013ec509..cecd6514fb 100644 ---- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -@@ -17,6 +17,7 @@ severity: medium - - identifiers: - cce@rhel7: 80215-7 -+ cce@rhel8: 83303-8 - - references: - disa: 2418,2420,2421,2422 diff --git a/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch b/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch deleted file mode 100644 index cc90f9e..0000000 --- a/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch +++ /dev/null @@ -1,150 +0,0 @@ -From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Wed, 5 Feb 2020 10:23:44 +0100 -Subject: [PATCH 1/4] Add and fix few entries of SRG mapping. - ---- - .../network-uncommon/kernel_module_dccp_disabled/rule.yml | 1 + - .../permissions/partitions/mount_option_var_log_nodev/rule.yml | 1 + - .../dconf_gnome_screensaver_lock_delay/rule.yml | 2 +- - .../dconf_gnome_screensaver_lock_enabled/rule.yml | 2 +- - 4 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -index 1b42b7233b..4dcbc458d1 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -@@ -37,6 +37,7 @@ references: - cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 - iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 - cis-csc: 11,14,3,9 -+ srg: SRG-OS-000096-GPOS-00050 - - {{{ complete_ocil_entry_module_disable(module="dccp") }}} - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml -index 298f17d2d8..d1ec9f644e 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml -@@ -28,6 +28,7 @@ identifiers: - references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 - nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 -+ srg: SRG-OS-000368-GPOS-00154 - - platform: machine - -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml -index b20323c1af..39aa044941 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml -@@ -34,7 +34,7 @@ references: - nist-csf: PR.AC-7 - ospp: FMT_MOF_EXT.1 - pcidss: Req-8.1.8 -- srg: OS-SRG-000029-GPOS-00010 -+ srg: SRG-OS-000029-GPOS-00010 - stigid@rhel7: "010110" - isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9' - isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml -index 0380f0149f..7742b8d862 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml -@@ -35,7 +35,7 @@ references: - nist-csf: PR.AC-7 - ospp: FMT_MOF_EXT.1 - pcidss: Req-8.1.8 -- srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011 -+ srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 - stigid@rhel7: "010060" - isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9' - isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 - -From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 5 Feb 2020 10:33:54 +0100 -Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227 - -The SRG is about configuring the system in accordance with security -baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs. ---- - .../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 + - .../integrity/crypto/openssl_use_strong_entropy/rule.yml | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml -index 4bfb72702b..62b2d01924 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml -@@ -25,6 +25,7 @@ identifiers: - - references: - ospp: FIA_AFL.1 -+ srg: SRG-OS-000480-GPOS-00227 - - ocil: |- - To determine whether the SSH service is configured to use strong entropy seed, -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -index 8a958e93b0..47dc8953e4 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -@@ -25,6 +25,7 @@ identifiers: - - references: - ospp: FIA_AFL.1 -+ srg: SRG-OS-000480-GPOS-00227 - - ocil: |- - To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation - -From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 5 Feb 2020 11:12:02 +0100 -Subject: [PATCH 3/4] Same SRG mapping as - package_subscription-manager_installed - -The package provides an interface for automation of package updates ---- - .../package_dnf-plugin-subscription-manager_installed/rule.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml -index 6b0144fd54..8f081d9a3c 100644 ---- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml -@@ -20,6 +20,7 @@ identifiers: - - references: - ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2 -+ srg: SRG-OS-000366-GPOS-00153 - - ocil_clause: 'the package is not installed' - - -From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 5 Feb 2020 11:14:35 +0100 -Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item - -From rule's rationale: -Binaries in pigz package are compiled without sufficient stack -protection and its ADSLR is weak. ---- - .../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml -index 595b78e768..bb724d916d 100644 ---- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml -@@ -18,6 +18,9 @@ severity: low - identifiers: - cce@rhel8: 82397-1 - -+references: -+ srg: SRG-OS-000433-GPOS-00192 -+ - {{{ complete_ocil_entry_package(package="pigz") }}} - - template: diff --git a/SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch b/SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch deleted file mode 100644 index f31b1eb..0000000 --- a/SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 716cccfe5a253be61e2b2f46b972ae2153a09ad2 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 4 Feb 2020 17:38:45 +0100 -Subject: [PATCH] Add rules to configure rsyslog TLS - ---- - rhel8/profiles/stig.profile | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile -index d85e18e9d0..821cc26914 100644 ---- a/rhel8/profiles/stig.profile -+++ b/rhel8/profiles/stig.profile -@@ -33,3 +33,9 @@ selections: - - encrypt_partitions - - sysctl_net_ipv4_tcp_syncookies - - clean_components_post_updating -+ -+ # Configure TLS for remote logging -+ - package_rsyslog_installed -+ - package_rsyslog-gnutls_installed -+ - rsyslog_remote_tls -+ - rsyslog_remote_tls_cacert diff --git a/SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch b/SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch deleted file mode 100644 index 3540734..0000000 --- a/SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 3d061cb6cb61ef8dc7bccc873bf338041687842e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 3 Feb 2020 21:23:59 +0100 -Subject: [PATCH] Add Kickstart file for STIG profile - -Based on OSPP KS ---- - rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 167 ++++++++++++++++++++++++++ - 1 file changed, 167 insertions(+) - create mode 100644 rhel8/kickstart/ssg-rhel8-stig-ks.cfg - -diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg -new file mode 100644 -index 0000000000..8c970dd6ff ---- /dev/null -+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg -@@ -0,0 +1,167 @@ -+# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --bootproto dhcp -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw -+# to see how to create encrypted password form for different plaintext password -+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw -+# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+part /boot --fstype=xfs --size=512 -+part pv.01 --grow --size=1 -+ -+# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 -+ -+# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow -+# Ensure /home Located On Separate Partition -+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -+# Ensure /tmp Located On Separate Partition -+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -+# Ensure /var/tmp Located On Separate Partition -+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -+# Ensure /var Located On Separate Partition -+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -+# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -+# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" -+logvol swap --name=swap --vgname=VolGroup --size=2016 -+ -+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) -+# content - security policies - on the installed system.This add-on has been enabled by default -+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this -+# functionality will automatically be installed. However, by default, no policies are enforced, -+# meaning that no checks are performed during or after installation unless specifically configured. -+# -+# Important -+# Applying a security policy is not necessary on all systems. This screen should only be used -+# when a specific policy is mandated by your organization rules or government regulations. -+# Unlike most other commands, this add-on does not accept regular options, but uses key-value -+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. -+# Values can be optionally enclosed in single quotes (') or double quotes ("). -+# -+# The following keys are recognized by the add-on: -+# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. -+# - If the content-type is scap-security-guide, the add-on will use content provided by the -+# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. -+# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. -+# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. -+# xccdf-id - ID of the benchmark you want to use. -+# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. -+# profile - ID of the profile to be applied. Use default to apply the default profile. -+# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. -+# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. -+# -+# The following is an example %addon org_fedora_oscap section which uses content from the -+# scap-security-guide on the installation media: -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_stig -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch b/SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch deleted file mode 100644 index c3437cd..0000000 --- a/SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3d8e47f0bd6fc1ddf8f33b788f52a23f348f24b7 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek - -Date: Mon, 3 Feb 2020 11:37:50 +0100 -Subject: remove rsyslog rules from ospp - ---- - rhel8/profiles/ospp.profile | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index ef3ced501..fb653de9d 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -178,8 +178,6 @@ selections: - - package_audispd-plugins_installed - - package_scap-security-guide_installed - - package_audit_installed -- - package_rsyslog_installed -- - package_rsyslog-gnutls_installed - - package_gnutls-utils_installed - - package_nss-tools_installed - -@@ -391,8 +389,7 @@ selections: - - timer_dnf-automatic_enabled - - # Configure TLS for remote logging -- - rsyslog_remote_tls -- - rsyslog_remote_tls_cacert -+ # temporarily dropped - - # Prevent Kerberos use by system daemons - - kerberos_disable_no_keytab --- -2.25.0 - diff --git a/SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch b/SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch deleted file mode 100644 index 6d06f2c..0000000 --- a/SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch +++ /dev/null @@ -1,49 +0,0 @@ -From ccd6b36cbb7ad3046fa09bdbf3aab84b1212d213 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 6 Feb 2020 11:29:31 +0100 -Subject: [PATCH] Map missing SRG rules - ---- - .../guide/system/software/gnome/dconf_db_up_to_date/rule.yml | 3 +++ - .../system-tools/package_gnutls-utils_installed/rule.yml | 1 + - .../software/system-tools/package_nss-tools_installed/rule.yml | 1 + - 3 files changed, 5 insertions(+) - -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml -index 3017b789f8..3e0b4fa2d1 100644 ---- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml -@@ -20,6 +20,9 @@ identifiers: - cce@rhel8: 81003-6 - cce@rhel7: 81004-4 - -+references: -+ srg: SRG-OS-000480-GPOS-00227 -+ - ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles' - - ocil: |- -diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml -index ebb8ad95f0..1374900664 100644 ---- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml -@@ -21,6 +21,7 @@ identifiers: - - references: - ospp: FMT_SMF_EXT.1 -+ srg: SRG-OS-000480-GPOS-00227 - - ocil_clause: 'the package is not installed' - -diff --git a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml -index 32c9c32893..5d0d679a1a 100644 ---- a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml -@@ -19,6 +19,7 @@ identifiers: - - references: - ospp: FMT_SMF_EXT.1 -+ srg: SRG-OS-000480-GPOS-00227 - - ocil_clause: 'the package is not installed' - diff --git a/SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch b/SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch deleted file mode 100644 index 6c1df7e..0000000 --- a/SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 840fb94f9b371f6555536de2c32953c967c1122a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 21 Jan 2020 14:17:00 +0100 -Subject: [PATCH 1/2] Don't check for path len of logs directory - -The logs are not part of the tarball, nor used to build the content. ---- - tests/ensure_paths_are_short.py | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py -index 5d4e27cb91..18d4c662ff 100755 ---- a/tests/ensure_paths_are_short.py -+++ b/tests/ensure_paths_are_short.py -@@ -13,6 +13,10 @@ def main(): - ssg_root = os.path.abspath(os.path.join(os.path.dirname(__file__), "..")) - max_path = "" - for dir_, _, files in os.walk(ssg_root): -+ # Don't check for path len of log files -+ # They are not shipped nor used during build -+ if "tests/logs/" in dir_: -+ continue - for file_ in files: - path = os.path.relpath(os.path.join(dir_, file_), ssg_root) - if len(path) > len(max_path): - -From 8d29c78efc51cc2c2da0e436b3cd9a2edb5342bc Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 21 Jan 2020 15:05:17 +0100 -Subject: [PATCH 2/2] Skip only only tests/logs/ from project root - ---- - tests/ensure_paths_are_short.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py -index 18d4c662ff..b9e985fea0 100755 ---- a/tests/ensure_paths_are_short.py -+++ b/tests/ensure_paths_are_short.py -@@ -15,7 +15,8 @@ def main(): - for dir_, _, files in os.walk(ssg_root): - # Don't check for path len of log files - # They are not shipped nor used during build -- if "tests/logs/" in dir_: -+ current_relative_path = os.path.relpath(dir_, ssg_root) -+ if current_relative_path.startswith("tests/logs/"): - continue - for file_ in files: - path = os.path.relpath(os.path.join(dir_, file_), ssg_root) diff --git a/SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch b/SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch deleted file mode 100644 index 8243778..0000000 --- a/SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch +++ /dev/null @@ -1,593 +0,0 @@ -From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Mon, 27 Jan 2020 11:51:53 +0100 -Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper. - ---- - .../openssl_use_strong_entropy/rule.yml | 65 +++++++++++++++++++ - rhel8/profiles/ospp.profile | 1 + - shared/references/cce-redhat-avail.txt | 1 - - 3 files changed, 66 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -new file mode 100644 -index 0000000000..e9ea8ed338 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -@@ -0,0 +1,65 @@ -+documentation_complete: true -+ -+# TODO: The plan is not to need this for RHEL>=8.4 -+prodtype: rhel8 -+ -+title: 'OpenSSL uses strong entropy source' -+ -+description: |- -+ To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, -+ save the following shell snippet to the /etc/profile.d/cc-config.sh: -+
-+    # provide a default -rand /dev/random option to openssl commands that
-+    # support it
-+
-+    # written inefficiently for maximum shell compatibility
-+    openssl()
-+    (
-+      openssl_bin=/usr/bin/openssl
-+
-+      case "$*" in
-+        # if user specified -rand, honor it
-+        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
-+      esac
-+
-+      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
-+      for i in `$openssl_bin list -commands`; do
-+        if $openssl_bin list -options "$i" | grep -q '^rand '; then
-+          cmds=" $i $cmds"
-+        fi
-+      done
-+
-+      case "$cmds" in
-+        *\ "$1"\ *)
-+          cmd="$1"; shift
-+          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
-+      esac
-+
-+      exec $openssl_bin "$@"
-+    )
-+    
-+ -+rationale: |- -+ The openssl default configuration uses less robust entropy sources for seeding. -+ The referenced script is sourced to every login shell, and it transparently adds an option -+ that enforces strong entropy to every openssl invocation, -+ which makes openssl more secure by default. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82721-2 -+ -+references: -+ ospp: FIA_AFL.1 -+ -+ocil: |- -+ To determine whether the openssl wrapper is configured correcrlty, -+ make sure that the /etc/profile.d/cc-config.sh file contains contents -+ that are included in the rule's description. -+ -+ocil_clause: |- -+ there is no /etc/profile.d/cc-config.sh file, or its contents don't match those in the description -+ -+warnings: -+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available." -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index 63aea526b7..ef3ced5010 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -59,6 +59,7 @@ selections: - - sshd_enable_warning_banner - - sshd_rekey_limit - - sshd_use_strong_rng -+ - openssl_use_strong_entropy - - # Time Server - - chronyd_client_only -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 4cb08794f4..1733872dfa 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -248,6 +248,5 @@ - CCE-82719-6 - CCE-82720-4 --CCE-82721-2 - CCE-82722-0 - CCE-82723-8 - CCE-82724-6 - -From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 27 Jan 2020 19:35:06 +0100 -Subject: [PATCH 2/6] create checks, remediations, - ---- - .../ansible/shared.yml | 12 +++++++ - .../openssl_use_strong_entropy/bash/shared.sh | 5 +++ - .../oval/shared.xml | 34 +++++++++++++++++++ - .../openssl_use_strong_entropy/rule.yml | 29 +--------------- - shared/macros.jinja | 34 ++++++++++++++++++- - 5 files changed, 85 insertions(+), 29 deletions(-) - create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml - create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -new file mode 100644 -index 0000000000..3ce26d6525 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -@@ -0,0 +1,12 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: "copy a file with shell snippet to configure openssl strong entropy" -+ copy: -+ dest: /etc/profile.d/cc-config.sh -+ content: |+ -+ {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}} -+ -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh -new file mode 100644 -index 0000000000..db5c331ce7 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh -@@ -0,0 +1,5 @@ -+# platform = Red Hat Enterprise Linux 8 -+ -+cat > /etc/profile.d/cc-config.sh <<- 'EOM' -+{{{ openssl_strong_entropy_config_file() }}} -+EOM -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml -new file mode 100644 -index 0000000000..b441b7ae6e ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml -@@ -0,0 +1,34 @@ -+ -+ -+ -+ Configure Openssl to use strong entropy -+ -+ Red Hat Enterprise Linux 8 -+ multi_platform_fedora -+ -+ OpenSSL should be configured to generate random data with strong entropy. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/profile.d/cc-config.sh -+ SHA-256 -+ -+ -+ -+ /etc/profile.d/cc-config.sh -+ SHA-256 -+ 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af -+ -+ -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -index e9ea8ed338..3b01da01af 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -@@ -9,34 +9,7 @@ description: |- - To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, - save the following shell snippet to the /etc/profile.d/cc-config.sh: -
--    # provide a default -rand /dev/random option to openssl commands that
--    # support it
--
--    # written inefficiently for maximum shell compatibility
--    openssl()
--    (
--      openssl_bin=/usr/bin/openssl
--
--      case "$*" in
--        # if user specified -rand, honor it
--        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
--      esac
--
--      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
--      for i in `$openssl_bin list -commands`; do
--        if $openssl_bin list -options "$i" | grep -q '^rand '; then
--          cmds=" $i $cmds"
--        fi
--      done
--
--      case "$cmds" in
--        *\ "$1"\ *)
--          cmd="$1"; shift
--          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
--      esac
--
--      exec $openssl_bin "$@"
--    )
-+    {{{ openssl_strong_entropy_config_file() | indent(4) }}}
-     
- - rationale: |- -diff --git a/shared/macros.jinja b/shared/macros.jinja -index 77f8eb31c7..8a25acc937 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned" - - - {{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}} -- When selecting this rule in a profile, -+ When selecting this rule in a profile, - {{%- if why %}} - make sure that rule with ID {{{ rule_id }}} is selected as well: {{{ why }}} - {{%- else %}} - rule {{{ rule_id }}} has to be selected as well. - {{%- endif %}} - {{% endmacro %}} -+ -+{{% macro openssl_strong_entropy_config_file() -%}} -+# provide a default -rand /dev/random option to openssl commands that -+# support it -+ -+# written inefficiently for maximum shell compatibility -+openssl() -+( -+ openssl_bin=/usr/bin/openssl -+ -+ case "$*" in -+ # if user specified -rand, honor it -+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; -+ esac -+ -+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` -+ for i in `$openssl_bin list -commands`; do -+ if $openssl_bin list -options "$i" | grep -q '^rand '; then -+ cmds=" $i $cmds" -+ fi -+ done -+ -+ case "$cmds" in -+ *\ "$1"\ *) -+ cmd="$1"; shift -+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; -+ esac -+ -+ exec $openssl_bin "$@" -+) -+ -+{{%- endmacro %}} - -From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 28 Jan 2020 13:42:40 +0100 -Subject: [PATCH 3/6] add tests - ---- - .../tests/correct.pass.sh | 34 +++++++++++++++++++ - .../tests/file_missing.fail.sh | 5 +++ - .../tests/file_modified.fail.sh | 5 +++ - 3 files changed, 44 insertions(+) - create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh -new file mode 100644 -index 0000000000..0bffab3c81 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh -@@ -0,0 +1,34 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+cat > /etc/profile.d/cc-config.sh <<- 'EOM' -+# provide a default -rand /dev/random option to openssl commands that -+# support it -+ -+# written inefficiently for maximum shell compatibility -+openssl() -+( -+ openssl_bin=/usr/bin/openssl -+ -+ case "$*" in -+ # if user specified -rand, honor it -+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; -+ esac -+ -+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` -+ for i in `$openssl_bin list -commands`; do -+ if $openssl_bin list -options "$i" | grep -q '^rand '; then -+ cmds=" $i $cmds" -+ fi -+ done -+ -+ case "$cmds" in -+ *\ "$1"\ *) -+ cmd="$1"; shift -+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; -+ esac -+ -+ exec $openssl_bin "$@" -+) -+EOM -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh -new file mode 100644 -index 0000000000..c1d526902c ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+rm -f /etc/profile.d/cc-config.sh -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh -new file mode 100644 -index 0000000000..313d14a37f ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+echo "wrong data" > /etc/profile.d/cc-config.sh - -From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Jan 2020 11:12:46 +0100 -Subject: [PATCH 4/6] remove blank=true from jinja macro as rhel6 and rhel7 do - not support it - ---- - .../crypto/openssl_use_strong_entropy/ansible/shared.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -index 3ce26d6525..bdc530f9f5 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -@@ -8,5 +8,5 @@ - copy: - dest: /etc/profile.d/cc-config.sh - content: |+ -- {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}} -+ {{{ openssl_strong_entropy_config_file()|indent(8) }}} - - -From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 30 Jan 2020 14:25:31 +0100 -Subject: [PATCH 5/6] reword rationale, change file name - -from cc-config.sh to openssl-rand.sh -change title of oval ---- - .../openssl_use_strong_entropy/ansible/shared.yml | 2 +- - .../openssl_use_strong_entropy/bash/shared.sh | 2 +- - .../openssl_use_strong_entropy/oval/shared.xml | 11 ++++------- - .../crypto/openssl_use_strong_entropy/rule.yml | 14 +++++--------- - .../tests/correct.pass.sh | 2 +- - .../tests/file_missing.fail.sh | 2 +- - .../tests/file_modified.fail.sh | 2 +- - 7 files changed, 14 insertions(+), 21 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -index bdc530f9f5..6ee232892d 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -@@ -6,7 +6,7 @@ - - - name: "copy a file with shell snippet to configure openssl strong entropy" - copy: -- dest: /etc/profile.d/cc-config.sh -+ dest: /etc/profile.d/openssl-rand.sh - content: |+ - {{{ openssl_strong_entropy_config_file()|indent(8) }}} - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh -index db5c331ce7..d8c9935005 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh -@@ -1,5 +1,5 @@ - # platform = Red Hat Enterprise Linux 8 - --cat > /etc/profile.d/cc-config.sh <<- 'EOM' -+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' - {{{ openssl_strong_entropy_config_file() }}} - EOM -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml -index b441b7ae6e..847754f36d 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml -@@ -1,11 +1,8 @@ - - - -- Configure Openssl to use strong entropy -- -- Red Hat Enterprise Linux 8 -- multi_platform_fedora -- -+ Configure OpenSSL to use strong entropy -+ {{{- oval_affected(products) }}} - OpenSSL should be configured to generate random data with strong entropy. - - -@@ -22,12 +19,12 @@ - - - -- /etc/profile.d/cc-config.sh -+ /etc/profile.d/openssl-rand.sh - SHA-256 - - - -- /etc/profile.d/cc-config.sh -+ /etc/profile.d/openssl-rand.sh - SHA-256 - 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -index 3b01da01af..dd82336532 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source' - - description: |- - To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, -- save the following shell snippet to the /etc/profile.d/cc-config.sh: -+ save the following shell snippet to the /etc/profile.d/openssl-rand.sh: -
-     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
-     
- - rationale: |- -- The openssl default configuration uses less robust entropy sources for seeding. -- The referenced script is sourced to every login shell, and it transparently adds an option -- that enforces strong entropy to every openssl invocation, -- which makes openssl more secure by default. -+ This rule ensures that openssl always uses SP800-90A compliant random number generator. - - severity: medium -- - identifiers: - cce@rhel8: 82721-2 - -@@ -27,12 +23,12 @@ references: - ospp: FIA_AFL.1 - - ocil: |- -- To determine whether the openssl wrapper is configured correcrlty, -- make sure that the /etc/profile.d/cc-config.sh file contains contents -+ To determine whether the openssl wrapper is configured correctly, -+ make sure that the /etc/profile.d/openssl-rand.sh file contains contents - that are included in the rule's description. - - ocil_clause: |- -- there is no /etc/profile.d/cc-config.sh file, or its contents don't match those in the description -+ there is no /etc/profile.d/openssl-rand.sh file, or its contents don't match those in the description - - warnings: - - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available." -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh -index 0bffab3c81..d7f3ce8c87 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh -@@ -2,7 +2,7 @@ - # platform = Red Hat Enterprise Linux 8 - # profiles = xccdf_org.ssgproject.content_profile_ospp - --cat > /etc/profile.d/cc-config.sh <<- 'EOM' -+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' - # provide a default -rand /dev/random option to openssl commands that - # support it - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh -index c1d526902c..64a580da91 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh -@@ -2,4 +2,4 @@ - # platform = Red Hat Enterprise Linux 8 - # profiles = xccdf_org.ssgproject.content_profile_ospp - --rm -f /etc/profile.d/cc-config.sh -+rm -f /etc/profile.d/openssl-rand.sh -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh -index 313d14a37f..2c812e874b 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh -@@ -2,4 +2,4 @@ - # platform = Red Hat Enterprise Linux 8 - # profiles = xccdf_org.ssgproject.content_profile_ospp - --echo "wrong data" > /etc/profile.d/cc-config.sh -+echo "wrong data" > /etc/profile.d/openssl-rand.sh - -From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 31 Jan 2020 16:34:48 +0100 -Subject: [PATCH 6/6] Rule and remediation wording improvements. - ---- - .../openssl_use_strong_entropy/ansible/shared.yml | 3 +-- - .../crypto/openssl_use_strong_entropy/rule.yml | 15 ++++++++++----- - 2 files changed, 11 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -index 6ee232892d..25afb8e27f 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml -@@ -4,9 +4,8 @@ - # complexity = low - # disruption = low - --- name: "copy a file with shell snippet to configure openssl strong entropy" -+- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy" - copy: - dest: /etc/profile.d/openssl-rand.sh - content: |+ - {{{ openssl_strong_entropy_config_file()|indent(8) }}} -- -diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -index dd82336532..8a958e93b0 100644 ---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml -@@ -6,14 +6,18 @@ prodtype: rhel8 - title: 'OpenSSL uses strong entropy source' - - description: |- -- To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, -- save the following shell snippet to the /etc/profile.d/openssl-rand.sh: -+ By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. -+ A way to configure OpenSSL to always use a strong source is to setup a wrapper that -+ defines a shell function that shadows the actual openssl binary, -+ and that ensures that the -rand /dev/random option is added to every openssl invocation. -+ -+ To do so, place the following shell snippet exactly as-is to /etc/profile.d/openssl-rand.sh: -
-     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
-     
- - rationale: |- -- This rule ensures that openssl always uses SP800-90A compliant random number generator. -+ This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior. - - severity: medium - identifiers: -@@ -23,8 +27,9 @@ references: - ospp: FIA_AFL.1 - - ocil: |- -- To determine whether the openssl wrapper is configured correctly, -- make sure that the /etc/profile.d/openssl-rand.sh file contains contents -+ To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation -+ uses a SP800-90A compliant entropy source, -+ make sure that the /etc/profile.d/openssl-rand.sh file contents exactly match those - that are included in the rule's description. - - ocil_clause: |- diff --git a/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch b/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch deleted file mode 100644 index 70760f0..0000000 --- a/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch +++ /dev/null @@ -1,1951 +0,0 @@ -From dd25ef669719bffe40f3024dbc949e421779f106 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 9 Dec 2019 16:25:50 +0100 -Subject: [PATCH] Split audit rules for OSPP - ---- - docs/manual/developer_guide.adoc | 7 + - .../policy_rules/audit_access_failed/rule.yml | 53 +++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_access_success/rule.yml | 58 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_basic_configuration/rule.yml | 66 +++++++++ - .../tests/correct_rules.pass.sh | 3 + - .../tests/file_missing.fail.sh | 3 + - .../tests/file_not_identical.fail.sh | 4 + - .../policy_rules/audit_create_failed/rule.yml | 66 +++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_create_success/rule.yml | 59 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../policy_rules/audit_delete_failed/rule.yml | 58 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_delete_success/rule.yml | 57 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../tests/failed_delete_rules.fail.sh | 1 + - .../tests/no_rule.fail.sh | 1 + - .../audit_immutable_login_uids/rule.yml | 54 +++++++ - .../tests/correct_rules.pass.sh | 1 + - .../policy_rules/audit_modify_failed/rule.yml | 66 +++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_modify_success/rule.yml | 61 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../policy_rules/audit_module_load/rule.yml | 58 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../policy_rules/audit_ospp_general/rule.yml | 138 ++++++++++++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_owner_change_failed/rule.yml | 59 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_owner_change_success/rule.yml | 60 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_perm_change_failed/rule.yml | 58 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_perm_change_success/rule.yml | 57 ++++++++ - .../tests/correct_rules.pass.sh | 1 + - .../audit_rules_for_ospp/oval/shared.xml | 8 +- - rhel8/profiles/ospp.profile | 17 ++- - shared/macros-ansible.jinja | 15 ++ - shared/macros-bash.jinja | 11 ++ - shared/macros-oval.jinja | 41 ++++++ - shared/references/cce-redhat-avail.txt | 11 -- - .../template_ANSIBLE_audit_file_contents | 11 ++ - .../template_BASH_audit_file_contents | 14 ++ - .../template_OVAL_audit_file_contents | 7 + - ssg/templates.py | 20 +++ - tests/shared/audit/10-base-config.rules | 13 ++ - tests/shared/audit/11-loginuid.rules | 3 + - .../audit/30-ospp-v42-1-create-failed.rules | 13 ++ - .../audit/30-ospp-v42-1-create-success.rules | 7 + - .../audit/30-ospp-v42-2-modify-failed.rules | 13 ++ - .../audit/30-ospp-v42-2-modify-success.rules | 7 + - .../audit/30-ospp-v42-3-access-failed.rules | 5 + - .../audit/30-ospp-v42-3-access-success.rules | 4 + - .../audit/30-ospp-v42-4-delete-failed.rules | 5 + - .../audit/30-ospp-v42-4-delete-success.rules | 3 + - .../30-ospp-v42-5-perm-change-failed.rules | 5 + - .../30-ospp-v42-5-perm-change-success.rules | 3 + - .../30-ospp-v42-6-owner-change-failed.rules | 5 + - .../30-ospp-v42-6-owner-change-success.rules | 3 + - tests/shared/audit/30-ospp-v42.rules | 80 ++++++++++ - tests/shared/audit/43-module-load.rules | 6 + - 63 files changed, 1376 insertions(+), 16 deletions(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh - create mode 100644 shared/templates/template_ANSIBLE_audit_file_contents - create mode 100644 shared/templates/template_BASH_audit_file_contents - create mode 100644 shared/templates/template_OVAL_audit_file_contents - create mode 100644 tests/shared/audit/10-base-config.rules - create mode 100644 tests/shared/audit/11-loginuid.rules - create mode 100644 tests/shared/audit/30-ospp-v42-1-create-failed.rules - create mode 100644 tests/shared/audit/30-ospp-v42-1-create-success.rules - create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-failed.rules - create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-success.rules - create mode 100644 tests/shared/audit/30-ospp-v42-3-access-failed.rules - create mode 100644 tests/shared/audit/30-ospp-v42-3-access-success.rules - create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-failed.rules - create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-success.rules - create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules - create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-success.rules - create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules - create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-success.rules - create mode 100644 tests/shared/audit/30-ospp-v42.rules - create mode 100644 tests/shared/audit/43-module-load.rules - -diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc -index 4cccea23d..76c1c1021 100644 ---- a/docs/manual/developer_guide.adoc -+++ b/docs/manual/developer_guide.adoc -@@ -1449,6 +1449,13 @@ audit_rules_privileged_commands:: - ** *path* - the path of the privileged command - eg. `/usr/bin/mount` - * Languages: Ansible, Bash, OVAL - -+audit_file_contents:: -+* Ensure that audit `.rules` file specified by parameter `filepath` contains the contents specified in parameter `contents`. -+* Parameters: -+** *filepath* - path to audit rules file, e.g.: `/etc/audit/rules.d/10-base-config.rules` -+** *contents* - expected contents of the file -+* Languages: Ansible, Bash, OVAL -+ - audit_rules_unsuccessful_file_modification:: - * Ensure there is an Audit rule to record unsuccessful attempts to access files - * Parameters: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -new file mode 100644 -index 000000000..6172751f1 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -@@ -0,0 +1,53 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of unsuccessful file accesses' -+ -+{{% set file_contents_audit_access_failed = -+"## Unsuccessful file access (any other opens) This has to go last. -+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -+" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to access a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_access_failed|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+rationale: |- -+ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82833-5 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_access_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules -+ contents: |+ -+ {{{ file_contents_audit_access_failed|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..ce7c7a0dd ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-3-access-failed.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -new file mode 100644 -index 000000000..8d0625a1d ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -@@ -0,0 +1,58 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of successful file accesses' -+ -+{{% set file_contents_audit_access_success = -+"## Successful file access (any other opens) This has to go last. -+## These next two are likely to result in a whole lot of events -+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -+" %}} -+ -+description: |- -+ Ensure that successful attempts to access a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_access_success|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+rationale: |- -+ Auditing of successful attempts to access a file helps in investigation of activities performed on the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82834-3 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_access_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules -+ contents: |+ -+ {{{ file_contents_audit_access_success|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..7092f2c47 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml -new file mode 100644 -index 000000000..24cac20a2 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml -@@ -0,0 +1,66 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure basic parameters of Audit system' -+ -+{{% set file_contents_audit_base_config = -+"## First rule - delete all -+-D -+ -+## Increase the buffers to survive stress events. -+## Make this bigger for busy systems -+-b 8192 -+ -+## This determine how long to wait in burst of events -+--backlog_wait_time 60000 -+ -+## Set failure mode to syslog -+-f 1 -+ -+" %}} -+ -+description: |- -+ Perform basic configuration of Audit system. -+ Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_base_config|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/10-base-config.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ -+rationale: |- -+ Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82827-7 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000365-GPOS-00152,SRG-OS-000475-GPOS-00220 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/10-base-config.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_base_config|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/10-base-config.rules -+ contents: |+ -+ {{{ file_contents_audit_base_config|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..2335ce458 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh -@@ -0,0 +1,3 @@ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+cp $SHARED/audit/10-base-config.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh -new file mode 100644 -index 000000000..aa506a736 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh -@@ -0,0 +1,3 @@ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+rm -f /etc/audit/rules.d/10-base-config.rules -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh -new file mode 100644 -index 000000000..4e7ce04c5 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh -@@ -0,0 +1,4 @@ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/ -+echo "some additional text" >> /etc/audit/rules.d/10-base-config.rules -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -new file mode 100644 -index 000000000..7cd677661 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -@@ -0,0 +1,66 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of unsuccessful file creations' -+ -+{{% set file_contents_audit_create_failed = -+"## Unsuccessful file creation (open with O_CREAT) -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to create a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_create_failed|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82374-0 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_create_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules -+ contents: |+ -+ {{{ file_contents_audit_create_failed|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..9a7fe431a ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -new file mode 100644 -index 000000000..4c933ec50 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -@@ -0,0 +1,59 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of successful file creations' -+ -+{{% set file_contents_audit_create_success = -+"## Successful file creation (open with O_CREAT) -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+" %}} -+ -+description: |- -+ Ensure that successful attempts to create a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_create_success |indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ -+rationale: |- -+ Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82829-3 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_create_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules -+ contents: |+ -+ {{{ file_contents_audit_create_success|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..dcc4afe73 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -new file mode 100644 -index 000000000..b9084f217 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -@@ -0,0 +1,58 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of unsuccessful file deletions' -+ -+{{% set file_contents_audit_delete_failed = -+"## Unsuccessful file delete -+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -+" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to delete a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_delete_failed|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82835-0 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_delete_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules -+ contents: |+ -+ {{{ file_contents_audit_delete_failed|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..9ae890203 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -new file mode 100644 -index 000000000..7d445d751 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -@@ -0,0 +1,57 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of successful file deletions' -+ -+{{% set file_contents_audit_delete_success = -+"## Successful file delete -+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -+" %}} -+ -+description: |- -+ Ensure that successful attempts to delete a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_delete_success|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+rationale: |- -+ Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82836-8 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_delete_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules -+ contents: |+ -+ {{{ file_contents_audit_delete_success|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..0a348baf6 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh -new file mode 100644 -index 000000000..9ae890203 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh -new file mode 100644 -index 000000000..3acb94ab6 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh -@@ -0,0 +1 @@ -+rm -f /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules. -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml -new file mode 100644 -index 000000000..eb87848e8 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml -@@ -0,0 +1,54 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure immutable Audit login UIDs' -+ -+{{% set file_contents_audit_immutable_login = -+"## Make the loginuid immutable. This prevents tampering with the auid. -+--loginuid-immutable -+ -+" %}} -+ -+description: |- -+ Configure kernel to prevent modification of login UIDs once they are set. Changing login UUIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_immutable_login|indent }}}    
-+ -+ The Audit provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/11-loginuid.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+rationale: |- -+ If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82828-5 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/11-loginuid.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_immutable_login|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/11-loginuid.rules -+ contents: |+ -+ {{{ file_contents_audit_immutable_login|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..42178a67d ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/11-loginuid.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -new file mode 100644 -index 000000000..e9a24d9f5 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -@@ -0,0 +1,66 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of unsuccessful file modifications' -+ -+{{% set file_contents_audit_modify_failed = -+"## Unsuccessful file modifications (open for write or truncate) -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to modify a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_modify_failed|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82830-1 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_modify_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules -+ contents: |+ -+ {{{ file_contents_audit_modify_failed|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..58a11a63c ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -new file mode 100644 -index 000000000..71c313ece ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -@@ -0,0 +1,61 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of successful file modifications' -+ -+{{% set file_contents_audit_modify_success = -+"## Successful file modifications (open for write or truncate) -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+" %}} -+ -+description: |- -+ Ensure that successful attempts to modify a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_modify_success|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+rationale: |- -+ Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82832-7 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_modify_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules -+ contents: |+ -+ {{{ file_contents_audit_modify_success|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..163ffa5db ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -new file mode 100644 -index 000000000..30be01ce0 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -@@ -0,0 +1,58 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of loading and unloading of kernel modules' -+ -+{{% set file_contents_audit_module_load = -+"## These rules watch for kernel module insertion. By monitoring -+## the syscall, we do not need any watches on programs. -+-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -+-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -+-a always,exit -F arch=b32 -S delete_module -F key=module-unload -+-a always,exit -F arch=b64 -S delete_module -F key=module-unload -+" %}} -+ -+description: |- -+ Ensure that loading and unloading of kernel modules is audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_module_load|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/43-module-load.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ -+rationale: |- -+ Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82838-4 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000475-GPOS-00220 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/43-module-load.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_module_load|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/43-module-load.rules -+ contents: |+ -+ {{{ file_contents_audit_module_load|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..c2d651e4c ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/43-module-load.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -new file mode 100644 -index 000000000..0649e0682 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -@@ -0,0 +1,138 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Perform general configuration of Audit for OSPP' -+ -+{{% set file_contents_audit_ospp_general = -+"## The purpose of these rules is to meet the requirements for Operating -+## System Protection Profile (OSPP)v4.2. These rules depends on having -+## the following rule files copied to /etc/audit/rules.d: -+## -+## 10-base-config.rules, 11-loginuid.rules, -+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, -+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, -+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, -+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, -+## 30-ospp-v42-5-perm-change-failed.rules, -+## 30-ospp-v42-5-perm-change-success.rules, -+## 30-ospp-v42-6-owner-change-failed.rules, -+## 30-ospp-v42-6-owner-change-success.rules -+## -+## original copies may be found in /usr/share/audit/sample-rules/ -+ -+ -+## User add delete modify. This is covered by pam. However, someone could -+## open a file and directly create or modify a user, so we'll watch passwd and -+## shadow for writes -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+ -+## User enable and disable. This is entirely handled by pam. -+ -+## Group add delete modify. This is covered by pam. However, someone could -+## open a file and directly create or modify a user, so we'll watch group and -+## gshadow for writes -+-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify -+ -+ -+## Use of special rights for config changes. This would be use of setuid -+## programs that relate to user accts. This is not all setuid apps because -+## requirements are only for ones that affect system configuration. -+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+ -+## Privilege escalation via su or sudo. This is entirely handled by pam. -+ -+## Audit log access -+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -+## Attempts to Alter Process and Session Initiation Information -+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+ -+## Attempts to modify MAC controls -+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy -+ -+## Software updates. This is entirely handled by rpm. -+ -+## System start and shutdown. This is entirely handled by systemd -+ -+## Kernel Module loading. This is handled in 43-module-load.rules -+ -+## Application invocation. The requirements list an optional requirement -+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to -+## state results from that policy. This would be handled entirely by -+## that daemon. -+ -+" %}} -+ -+description: |- -+ Configure some basic Audit parameters specific for OSPP profile. -+ In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. -+ Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. -+ -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_ospp_general|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+ -+rationale: |- -+ Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82373-2 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000241-GPOS-00091,SRG-OS-000476-GPOS-00221,SRG-OS-000327-GPOS-00127,SRG-OS-000475-GPOS-00220,SRG-OS-000239-GPOS-00089,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_ospp_general|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42.rules -+ contents: |+ -+ {{{ file_contents_audit_ospp_general|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..dcf3a88a6 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -new file mode 100644 -index 000000000..1068fb8a9 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -@@ -0,0 +1,59 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of unsuccessful ownership changes' -+ -+{{% set file_contents_audit_owner_change_failed = -+"## Unsuccessful ownership change -+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -+" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to change an ownership of files or directories are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_owner_change_failed|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+rationale: |- -+ Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82384-9 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_owner_change_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules -+ contents: |+ -+ {{{ file_contents_audit_owner_change_failed|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..b5227b4c5 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -new file mode 100644 -index 000000000..6ffa0e4fc ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -@@ -0,0 +1,60 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of successful ownership changes' -+ -+{{% set file_contents_audit_owner_change_success = -+"## Successful ownership change -+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -+" %}} -+ -+description: |- -+ Ensure that successful attempts to change an ownership of files or directories are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_owner_change_success|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/
-+    
-+ -+ The file has the following SHA-256 checksum: -+
7eb41a6aaf6737c2571b6424fae7fa53af4b41a9115b6c5732a5778ccd9900ad
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+rationale: |- -+ Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82385-6 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_owner_change_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules -+ contents: |+ -+ {{{ file_contents_audit_owner_change_success|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..27eaf4a1f ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -new file mode 100644 -index 000000000..7be6299cb ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -@@ -0,0 +1,58 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of unsuccessful permission changes' -+ -+{{% set file_contents_audit_perm_change_failed = -+"## Unsuccessful permission change -+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -+" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to change file or directory permissions are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_perm_change_failed|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82837-6 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_perm_change_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules -+ contents: |+ -+ {{{ file_contents_audit_perm_change_failed|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..149fda66d ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -new file mode 100644 -index 000000000..e2a247370 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -@@ -0,0 +1,57 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure auditing of successful permission changes' -+ -+{{% set file_contents_audit_perm_change_success = -+"## Successful permission change -+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -+" %}} -+ -+description: |- -+ Ensure that successful attempts to modify permissions of iles or directories are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_perm_change_success|indent }}}    
-+ -+ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules. -+ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: -+
-+    cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/
-+    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+rationale: |- -+ Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82383-1 -+ -+references: -+ ospp: FAU_GEN.1.1.c -+ nist: AU-2(a) -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_perm_change_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules -+ contents: |+ -+ {{{ file_contents_audit_perm_change_success|indent(12) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh -new file mode 100644 -index 000000000..cfa6c3f90 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh -@@ -0,0 +1 @@ -+cp $SHARED/audit/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/ -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml -index 9e5b6032f..d25ea0840 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml -@@ -1,15 +1,15 @@ - {{% macro audit_file_compare_criterion(file_id) %}} -- -+ - {{% endmacro %}} - - {{% macro audit_file_compare_test(file_id) %}} - -- -+ id="test_compare_{{{ file_id }}}_old" version="1"> -+ - - -- -+ - /etc/audit/rules.d/{{{ file_id }}}.rules - (?:.*\n)* - 1 -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index ef3ced501..5d3713ec7 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -377,7 +377,22 @@ selections: - ## AU-2(a) / FAU_GEN.1.1.c - ## Audit Kernel Module Loading and Unloading Events (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c -- - audit_rules_for_ospp -+ - audit_basic_configuration -+ - audit_immutable_login_uids -+ - audit_create_failed -+ - audit_create_success -+ - audit_modify_failed -+ - audit_modify_success -+ - audit_access_failed -+ - audit_access_success -+ - audit_delete_failed -+ - audit_delete_success -+ - audit_perm_change_failed -+ - audit_perm_change_success -+ - audit_owner_change_failed -+ - audit_owner_change_success -+ - audit_ospp_general -+ - audit_module_load - - ## Enable Automatic Software Updates - ## SI-2 / FMT_MOF_EXT.1 -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index f752e7a2b..c7fa22113 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -202,3 +202,18 @@ - {{%- macro ansible_coredump_config_set(msg='', parameter='', value='') %}} - {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} - {{%- endmacro %}} -+ -+{{# -+ Generates an Ansible task that puts 'contents' into a file at 'filepath' -+ Parameters: -+ - filepath - filepath of the file to check -+ - contents - contents that should be in the file -+#}} -+{{%- macro ansible_file_contents(filepath='', contents='') %}} -+- name: "Put contents into {{{ filepath }}} according to policy" -+ copy: -+ dest: "{{{ filepath }}}" -+ content: |+ -+ {{{ contents|indent(8) }}} -+ force: yes -+{{%- endmacro %}} -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index dc7fd2558..bc522fc1e 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -509,3 +509,14 @@ if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "{{{ pam_file }}}" - sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "{{{ pam_file }}}" - fi - {{%- endmacro -%}} -+ -+{{# -+ Generates bash script code that puts 'contents' into a file at 'filepath' -+ Parameters: -+ - filepath - filepath of the file to check -+ - contents - contents that should be in the file -+#}} -+{{%- macro bash_file_contents(filepath='', contents='') %}} -+cat << 'EOF' > {{{ filepath }}} -+{{{ contents }}}EOF -+{{%- endmacro %}} -diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja -index 5f391efdc..11752785f 100644 ---- a/shared/macros-oval.jinja -+++ b/shared/macros-oval.jinja -@@ -448,3 +448,44 @@ - ^.*[\s]+{{{ option }}}=.*({{{ value }}}).*([\s]+.*$|$) - - {{%- endmacro -%}} -+ -+{{# -+ Macro which generates OVAL definition, test and object that check for contents -+ of the file. -+ Parameters: -+ - filepath - filepath of the file to check -+ - contents - contents that should be in the file -+#}} -+{{%- macro oval_file_contents(filepath='', filepath_id='', contents='') -%}} -+ -+ -+ -+ Check that contents of {{{ filepath }}} are as expected -+ {{{- oval_affected(products) }}} -+ Inspects the contents of {{{ filepath }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ {{{ filepath }}} -+ ^.*$ -+ 1 -+ -+ -+ -+ {{{ contents }}} -+ -+ -+ -+{{%- endmacro %}} -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 1733872df..a961f0ec0 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -103,17 +103,6 @@ CCE-82823-6 - CCE-82824-4 - CCE-82825-1 - CCE-82826-9 --CCE-82827-7 --CCE-82828-5 --CCE-82829-3 --CCE-82830-1 --CCE-82832-7 --CCE-82833-5 --CCE-82834-3 --CCE-82835-0 --CCE-82836-8 --CCE-82837-6 --CCE-82838-4 - CCE-82839-2 - CCE-82841-8 - CCE-82842-6 -diff --git a/shared/templates/template_ANSIBLE_audit_file_contents b/shared/templates/template_ANSIBLE_audit_file_contents -new file mode 100644 -index 000000000..c28527454 ---- /dev/null -+++ b/shared/templates/template_ANSIBLE_audit_file_contents -@@ -0,0 +1,11 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+{{{ -+ ansible_file_contents( -+ filepath=FILEPATH, -+ contents=CONTENTS, -+ ) -+}}} -diff --git a/shared/templates/template_BASH_audit_file_contents b/shared/templates/template_BASH_audit_file_contents -new file mode 100644 -index 000000000..f264be6f1 ---- /dev/null -+++ b/shared/templates/template_BASH_audit_file_contents -@@ -0,0 +1,14 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+{{{ -+ bash_file_contents( -+ filepath=FILEPATH, -+ contents=CONTENTS, -+ ) -+}}} -+ -+augenrules --load -diff --git a/shared/templates/template_OVAL_audit_file_contents b/shared/templates/template_OVAL_audit_file_contents -new file mode 100644 -index 000000000..02e1b661d ---- /dev/null -+++ b/shared/templates/template_OVAL_audit_file_contents -@@ -0,0 +1,7 @@ -+{{{ -+ oval_file_contents( -+ filepath=FILEPATH, -+ filepath_id=FILEPATH_ID, -+ contents=CONTENTS -+ ) -+}}} -diff --git a/ssg/templates.py b/ssg/templates.py -index 8a96c8ed4..e5ed4890b 100644 ---- a/ssg/templates.py -+++ b/ssg/templates.py -@@ -1,8 +1,10 @@ -+from __future__ import absolute_import - from __future__ import print_function - - import os - import sys - import re -+from xml.sax.saxutils import unescape - - import ssg.build_yaml - -@@ -93,6 +95,10 @@ def audit_rules_privileged_commands(data, lang): - data["path"] = path.replace("/", "\\/") - return data - -+@template(["ansible", "bash", "oval"]) -+def audit_rules_rule_file(data, lang): -+ return data -+ - - @template(["ansible", "bash", "oval"]) - def audit_rules_unsuccessful_file_modification(data, lang): -@@ -124,6 +130,20 @@ def audit_rules_usergroup_modification(data, lang): - return data - - -+@template(["ansible", "bash", "oval"]) -+def audit_file_contents(data, lang): -+ if lang == "oval": -+ pathid = re.sub(r'[-\./]', '_', data["filepath"]) -+ # remove root slash made into '_' -+ pathid = pathid[1:] -+ data["filepath_id"] = pathid -+ -+ # The build system converts "<",">" and "&" for us -+ if lang == "bash" or lang == "ansible": -+ data["contents"] = unescape(data["contents"]) -+ return data -+ -+ - def _file_owner_groupowner_permissions_regex(data): - data["is_directory"] = data["filepath"].endswith("/") - if "missing_file_pass" not in data: -diff --git a/tests/shared/audit/10-base-config.rules b/tests/shared/audit/10-base-config.rules -new file mode 100644 -index 000000000..b86d66f9d ---- /dev/null -+++ b/tests/shared/audit/10-base-config.rules -@@ -0,0 +1,13 @@ -+## First rule - delete all -+-D -+ -+## Increase the buffers to survive stress events. -+## Make this bigger for busy systems -+-b 8192 -+ -+## This determine how long to wait in burst of events -+--backlog_wait_time 60000 -+ -+## Set failure mode to syslog -+-f 1 -+ -diff --git a/tests/shared/audit/11-loginuid.rules b/tests/shared/audit/11-loginuid.rules -new file mode 100644 -index 000000000..9b0a3e98a ---- /dev/null -+++ b/tests/shared/audit/11-loginuid.rules -@@ -0,0 +1,3 @@ -+## Make the loginuid immutable. This prevents tampering with the auid. -+--loginuid-immutable -+ -diff --git a/tests/shared/audit/30-ospp-v42-1-create-failed.rules b/tests/shared/audit/30-ospp-v42-1-create-failed.rules -new file mode 100644 -index 000000000..6aca1b943 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-1-create-failed.rules -@@ -0,0 +1,13 @@ -+## Unsuccessful file creation (open with O_CREAT) -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -diff --git a/tests/shared/audit/30-ospp-v42-1-create-success.rules b/tests/shared/audit/30-ospp-v42-1-create-success.rules -new file mode 100644 -index 000000000..4141e3c60 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-1-create-success.rules -@@ -0,0 +1,7 @@ -+## Successful file creation (open with O_CREAT) -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -diff --git a/tests/shared/audit/30-ospp-v42-2-modify-failed.rules b/tests/shared/audit/30-ospp-v42-2-modify-failed.rules -new file mode 100644 -index 000000000..ffe5bfd61 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-2-modify-failed.rules -@@ -0,0 +1,13 @@ -+## Unsuccessful file modifications (open for write or truncate) -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -diff --git a/tests/shared/audit/30-ospp-v42-2-modify-success.rules b/tests/shared/audit/30-ospp-v42-2-modify-success.rules -new file mode 100644 -index 000000000..5617e018a ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-2-modify-success.rules -@@ -0,0 +1,7 @@ -+## Successful file modifications (open for write or truncate) -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -diff --git a/tests/shared/audit/30-ospp-v42-3-access-failed.rules b/tests/shared/audit/30-ospp-v42-3-access-failed.rules -new file mode 100644 -index 000000000..a5aad3a95 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-3-access-failed.rules -@@ -0,0 +1,5 @@ -+## Unsuccessful file access (any other opens) This has to go last. -+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -diff --git a/tests/shared/audit/30-ospp-v42-3-access-success.rules b/tests/shared/audit/30-ospp-v42-3-access-success.rules -new file mode 100644 -index 000000000..0c8a6b657 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-3-access-success.rules -@@ -0,0 +1,4 @@ -+## Successful file access (any other opens) This has to go last. -+## These next two are likely to result in a whole lot of events -+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -diff --git a/tests/shared/audit/30-ospp-v42-4-delete-failed.rules b/tests/shared/audit/30-ospp-v42-4-delete-failed.rules -new file mode 100644 -index 000000000..946c9cc17 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-4-delete-failed.rules -@@ -0,0 +1,5 @@ -+## Unsuccessful file delete -+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -diff --git a/tests/shared/audit/30-ospp-v42-4-delete-success.rules b/tests/shared/audit/30-ospp-v42-4-delete-success.rules -new file mode 100644 -index 000000000..7955cdf85 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-4-delete-success.rules -@@ -0,0 +1,3 @@ -+## Successful file delete -+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -diff --git a/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules b/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules -new file mode 100644 -index 000000000..49b9299d5 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules -@@ -0,0 +1,5 @@ -+## Unsuccessful permission change -+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -diff --git a/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules b/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules -new file mode 100644 -index 000000000..52cbac873 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules -@@ -0,0 +1,3 @@ -+## Successful permission change -+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -diff --git a/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules b/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules -new file mode 100644 -index 000000000..44e7148c2 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules -@@ -0,0 +1,5 @@ -+## Unsuccessful ownership change -+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -diff --git a/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules b/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules -new file mode 100644 -index 000000000..056b706fc ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules -@@ -0,0 +1,3 @@ -+## Successful ownership change -+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -diff --git a/tests/shared/audit/30-ospp-v42.rules b/tests/shared/audit/30-ospp-v42.rules -new file mode 100644 -index 000000000..3dced1725 ---- /dev/null -+++ b/tests/shared/audit/30-ospp-v42.rules -@@ -0,0 +1,80 @@ -+## The purpose of these rules is to meet the requirements for Operating -+## System Protection Profile (OSPP)v4.2. These rules depends on having -+## the following rule files copied to /etc/audit/rules.d: -+## -+## 10-base-config.rules, 11-loginuid.rules, -+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, -+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, -+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, -+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, -+## 30-ospp-v42-5-perm-change-failed.rules, -+## 30-ospp-v42-5-perm-change-success.rules, -+## 30-ospp-v42-6-owner-change-failed.rules, -+## 30-ospp-v42-6-owner-change-success.rules -+## -+## original copies may be found in /usr/share/audit/sample-rules/ -+ -+ -+## User add delete modify. This is covered by pam. However, someone could -+## open a file and directly create or modify a user, so we'll watch passwd and -+## shadow for writes -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+ -+## User enable and disable. This is entirely handled by pam. -+ -+## Group add delete modify. This is covered by pam. However, someone could -+## open a file and directly create or modify a user, so we'll watch group and -+## gshadow for writes -+-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify -+ -+ -+## Use of special rights for config changes. This would be use of setuid -+## programs that relate to user accts. This is not all setuid apps because -+## requirements are only for ones that affect system configuration. -+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+ -+## Privilege escalation via su or sudo. This is entirely handled by pam. -+ -+## Audit log access -+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -+## Attempts to Alter Process and Session Initiation Information -+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+ -+## Attempts to modify MAC controls -+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy -+ -+## Software updates. This is entirely handled by rpm. -+ -+## System start and shutdown. This is entirely handled by systemd -+ -+## Kernel Module loading. This is handled in 43-module-load.rules -+ -+## Application invocation. The requirements list an optional requirement -+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to -+## state results from that policy. This would be handled entirely by -+## that daemon. -+ -diff --git a/tests/shared/audit/43-module-load.rules b/tests/shared/audit/43-module-load.rules -new file mode 100644 -index 000000000..890750744 ---- /dev/null -+++ b/tests/shared/audit/43-module-load.rules -@@ -0,0 +1,6 @@ -+## These rules watch for kernel module insertion. By monitoring -+## the syscall, we do not need any watches on programs. -+-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -+-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -+-a always,exit -F arch=b32 -S delete_module -F key=module-unload -+-a always,exit -F arch=b64 -S delete_module -F key=module-unload --- -2.21.1 - diff --git a/SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch b/SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch deleted file mode 100644 index 97b0168..0000000 --- a/SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch +++ /dev/null @@ -1,855 +0,0 @@ -From e826795667e319a336ccbfe0919c044766801cb8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 17 Jan 2020 10:49:36 +0100 -Subject: [PATCH 1/7] Added lineinfile shell assignment support to our macros. - ---- - shared/macros-ansible.jinja | 20 +++++++++++++++++++ - shared/macros-bash.jinja | 26 +++++++++++++++++++++++++ - shared/macros-oval.jinja | 39 ++++++++++++++++++++++++++++++++----- - 3 files changed, 80 insertions(+), 5 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 3e4a441225..c42a5156ce 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -141,6 +141,26 @@ - {{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="^[#\s]*Match") }}} - {{%- endmacro %}} - -+{{# -+ High level macro to set a value in a shell-related file that contains var assignments. This -+ takes these values: msg (the name for the Ansible task), path to the file, a parameter to set -+ in the configuration file, and the value to set it to. We specify a case -+ sensitive comparison in the prefix since this is used to deduplicate since -+ We also specify the validation program here; see 'bash -c "help set" | grep -e -n' -+#}} -+{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}} -+{{% if no_quotes -%}} -+{{%- else -%}} -+{{%- set quotes = "\"'" -%}} -+ {{% if "$" in value %}} -+ {{% set value = '"%s"' % value %}} -+ {{% else %}} -+ {{% set value = "'%s'" % value %}} -+ {{% endif %}} -+{{%- endif -%}} -+{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}} -+{{%- endmacro %}} -+ - {{# - High level macro to set a command in tmux configuration file /etc/tmux.conf. - Parameters: -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 43200bdd8a..6c0bb2facc 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -1,5 +1,31 @@ - {{# ##### High level macros ##### #}} - -+{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}} -+{{% if no_quotes -%}} -+ {{% if "$" in value %}} -+ {{% set value = '%s' % value.replace("$", "\\$") %}} -+ {{% endif %}} -+{{%- else -%}} -+ {{% if "$" in value %}} -+ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}} -+ {{% else %}} -+ {{% set value = "'%s'" % value %}} -+ {{% endif %}} -+{{%- endif -%}} -+{{{ set_config_file( -+ path=path, -+ parameter=parameter, -+ value=value, -+ create=true, -+ insert_after="", -+ insert_before="^Match", -+ insensitive=false, -+ separator="=", -+ separator_regex="=", -+ prefix_regex="^\s*") -+ }}} -+{{%- endmacro -%}} -+ - {{%- macro bash_sshd_config_set(parameter, value) -%}} - {{{ set_config_file( - path="/etc/ssh/sshd_config", -diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja -index 2049a24d6e..696cf36db0 100644 ---- a/shared/macros-oval.jinja -+++ b/shared/macros-oval.jinja -@@ -17,8 +17,9 @@ - - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. - - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. - - section (String): If set, the parameter will be checked only within the given section defined by [section]. -+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info. - #}} --{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='') -%}} -+{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}} - - - -@@ -60,7 +61,7 @@ - - {{{ oval_line_in_file_test(path, parameter) }}} - {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}} -- {{{ oval_line_in_file_state(value, multi_value) }}} -+ {{{ oval_line_in_file_state(value, multi_value, quotes) }}} - {{%- if missing_parameter_pass %}} - {{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}} - {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}} -@@ -173,12 +174,21 @@ - This macro can take two parameters: - - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). - - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. -+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. -+ For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be. - #}} --{{%- macro oval_line_in_file_state(value='', multi_value='') -%}} -+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}} -+{{%- set regex = value -%}} -+{{%- if quotes != "" %}} -+{{%- if "\\1" in value > 0 %}} -+{{{ raise("The regex for matching '%s' already references capturing groups, which doesn't go well with quoting that adds a capturing group to the beginning." % value) }}} -+{{%- endif %}} -+{{%- set regex = "((?:%s)?)%s\\1" % ("|".join(quotes), regex) -%}} -+{{%- endif %}} - {{%- if multi_value %}} --{{%- set regex = "^.*\\b"+value+"\\b.*$" -%}} -+{{%- set regex = "^.*\\b"+regex+"\\b.*$" -%}} - {{%- else %}} --{{%- set regex = "^"+value+"$" -%}} -+{{%- set regex = "^"+regex+"$" -%}} - {{%- endif %}} - - {{{ regex }}} -@@ -232,6 +242,25 @@ - {{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}} - {{%- endmacro %}} - -+{{# -+ High level macro to check if a particular shell variable is set. -+ This macro can take five parameters: -+ - path (String): Path to the file. -+ - parameter (String): The shell variable name. -+ - value (String): The variable value WITHOUT QUOTES. -+ - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). -+ - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. -+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. -+#}} -+{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}} -+{{% if no_quotes -%}} -+{{%- set quotes = "" -%}} -+{{%- else -%}} -+{{%- set quotes = "\"'" -%}} -+{{%- endif -%}} -+{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}} -+{{%- endmacro %}} -+ - {{# - High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set. - This function can take five parameters: - -From a7281779e424a0b481e1b08ca01d2ebd1af2e834 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 17 Jan 2020 10:50:16 +0100 -Subject: [PATCH 2/7] Added tests for shell lineinfile. - ---- - tests/test_macros_oval.py | 142 ++++++++++++++++++ - .../unit/bash/test_set_config_file.bats.jinja | 56 +++++++ - 2 files changed, 198 insertions(+) - -diff --git a/tests/test_macros_oval.py b/tests/test_macros_oval.py -index 65a88ba7b4..8acae8548b 100755 ---- a/tests/test_macros_oval.py -+++ b/tests/test_macros_oval.py -@@ -896,6 +896,148 @@ def main(): - "[vehicle]\nspeed =\n100", - "false" - ) -+ tester.test( -+ "SHELL commented out", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value='/bin/bash', -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ "# SHELL=/bin/bash\n", -+ "false" -+ ) -+ tester.test( -+ "SHELL correct", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value='/bin/bash', -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ " SHELL=/bin/bash\n", -+ "true" -+ ) -+ tester.test( -+ "SHELL single-quoted", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value='/bin"/bash', -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ " SHELL='/bin\"/bash'\n", -+ "true" -+ ) -+ tester.test( -+ "SHELL double-quoted", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value=' /bin/bash', -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ """ SHELL=" /bin/bash"\n""", -+ "true" -+ ) -+ tester.test( -+ "SHELL unwanted double-quoted", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value=' /bin/bash', -+ no_quotes=true, -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ """ SHELL=" /bin/bash"\n""", -+ "false" -+ ) -+ tester.test( -+ "SHELL unwanted single-quoted", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value='/bin"/bash', -+ no_quotes=true, -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ " SHELL='/bin\"/bash'\n", -+ "false" -+ ) -+ tester.test( -+ "SHELL double-quoted spaced", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value='/bin/bash', -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ """ SHELL= "/bin/bash"\n""", -+ "false" -+ ) -+ tester.test( -+ "SHELL bad_var_case", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value='/bin/bash', -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ """ Shell="/bin/bash"\n""", -+ "false" -+ ) -+ tester.test( -+ "SHELL bad_value_case", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value='/bin/bash', -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ """ SHELL="/bin/Bash"\n""", -+ "false" -+ ) -+ tester.test( -+ "SHELL badly quoted", -+ r"""{{{ oval_check_shell_file( -+ path='CONFIG_FILE', -+ parameter='SHELL', -+ value='/bin/bash', -+ missing_parameter_pass=false, -+ application='', -+ multi_value=false, -+ missing_config_file_fail=false, -+ ) }}}""", -+ """ SHELL="/bin/bash'\n""", -+ "false" -+ ) - - tester.finish() - -diff --git a/tests/unit/bash/test_set_config_file.bats.jinja b/tests/unit/bash/test_set_config_file.bats.jinja -index 3dc2c721d4..4126d0440e 100644 ---- a/tests/unit/bash/test_set_config_file.bats.jinja -+++ b/tests/unit/bash/test_set_config_file.bats.jinja -@@ -126,3 +126,59 @@ function call_set_config_file { - - rm "$tmp_file" - } -+ -+@test "Basic Bash remediation" { -+ tmp_file="$(mktemp)" -+ printf "%s\n" "something=foo" > "$tmp_file" -+ expected_output="something='va lue'\n" -+ -+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue") | indent(4) }}} -+ -+ run diff -U2 "$tmp_file" <(printf "$expected_output") -+ echo "$output" -+ [ "$status" -eq 0 ] -+ -+ rm "$tmp_file" -+} -+ -+@test "Variable remediation - preserve dollar and use double quotes" { -+ tmp_file="$(mktemp)" -+ printf "%s\n" "something=bar" > "$tmp_file" -+ expected_output='something="$value"'"\n" -+ -+ {{{ bash_shell_file_set("$tmp_file", "something", '$value') | indent(4) }}} -+ -+ run diff -U2 "$tmp_file" <(printf "$expected_output") -+ echo "$output" -+ [ "$status" -eq 0 ] -+ -+ rm "$tmp_file" -+} -+ -+@test "Basic Bash remediation - don't quote" { -+ tmp_file="$(mktemp)" -+ printf "%s\n" "something=foo" > "$tmp_file" -+ expected_output="something=va lue\n" -+ -+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue", no_quotes=true) | indent(4) }}} -+ -+ run diff -U2 "$tmp_file" <(printf "$expected_output") -+ echo "$output" -+ [ "$status" -eq 0 ] -+ -+ rm "$tmp_file" -+} -+ -+@test "Variable remediation - don't quote" { -+ tmp_file="$(mktemp)" -+ printf "%s\n" "something=bar" > "$tmp_file" -+ expected_output='something=$value'"\n" -+ -+ {{{ bash_shell_file_set("$tmp_file", "something", '$value', no_quotes=true) | indent(4) }}} -+ -+ run diff -U2 "$tmp_file" <(printf "$expected_output") -+ echo "$output" -+ [ "$status" -eq 0 ] -+ -+ rm "$tmp_file" -+} - -From 347e7ab345a35fc3045a886d883d8efe7d9820b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 17 Jan 2020 10:51:02 +0100 -Subject: [PATCH 3/7] Added the shell lineinfile template. - ---- - docs/manual/developer_guide.adoc | 21 +++++++++++++++++ - .../template_ANSIBLE_shell_lineinfile | 21 +++++++++++++++++ - .../templates/template_BASH_shell_lineinfile | 6 +++++ - .../templates/template_OVAL_shell_lineinfile | 10 ++++++++ - ssg/templates.py | 23 +++++++++++++++++++ - 5 files changed, 81 insertions(+) - create mode 100644 shared/templates/template_ANSIBLE_shell_lineinfile - create mode 100644 shared/templates/template_BASH_shell_lineinfile - create mode 100644 shared/templates/template_OVAL_shell_lineinfile - -diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc -index aa0a7491c3..b5d22213b7 100644 ---- a/docs/manual/developer_guide.adoc -+++ b/docs/manual/developer_guide.adoc -@@ -1591,6 +1591,27 @@ service_enabled:: - ** *daemonname* - name of the daemon. This argument is optional. If *daemonname* is not specified it means the name of the daemon is the same as the name of service. - * Languages: Ansible, Bash, OVAL, Puppet - -+shell_lineinfile:: -+* Checks shell variable assignments in files. -+Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered. -+The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string. -+* Parameters: -+** *path* - What file to check. -+** *parameter* - name of the shell variable, eg. `SHELL`. -+** *value* - value of the SSH configuration option specified by *parameter*, eg. `"/bin/bash"`. Don't pass extra shell quoting - that will be handled on the lower level. -+** *no_quotes* - If set to `"true"`, the assigned value has to be without quotes during the check and remediation doesn't quote assignments either. -+** *missing_parameter_pass* - If set to `"true"` the OVAL check will pass if the parameter is not present in the target file. -+* Languages: Ansible, Bash, OVAL -+* Example: -+A template invocation specifying that parameter `HISTSIZE` should be set to value `500` in `/etc/profile` will produce a check that passes if any of the following lines are present in `/etc/profile`: -+** `HISTSIZE=500` -+** `HISTSIZE="500"` -+** `HISTSIZE='500'` -++ -+The remediation would insert one of the quoted forms if the line was not present. -++ -+If the `no_quotes` would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present. -+ - sshd_lineinfile:: - * Checks SSH server configuration items in `/etc/ssh/sshd_config`. - * Parameters: -diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile -new file mode 100644 -index 0000000000..7d0a3ebcbd ---- /dev/null -+++ b/shared/templates/template_ANSIBLE_shell_lineinfile -@@ -0,0 +1,21 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}} -+{{%- if NO_QUOTES -%}} -+ {{% set msg = "Setting unquoted " ~ msg %}} -+{{%- else -%}} -+ {{% set msg = "Setting shell-quoted " ~ msg %}} -+{{%- endif -%}} -+{{{ -+ ansible_shell_set( -+ msg=msg, -+ path=PATH, -+ parameter=PARAMETER, -+ value=VALUE, -+ no_quotes=NO_QUOTES -+ ) -+}}} -+ -diff --git a/shared/templates/template_BASH_shell_lineinfile b/shared/templates/template_BASH_shell_lineinfile -new file mode 100644 -index 0000000000..6bf869d62b ---- /dev/null -+++ b/shared/templates/template_BASH_shell_lineinfile -@@ -0,0 +1,6 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+{{{ bash_shell_file_set(path=PATH, parameter=PARAMETER, value=VALUE, no_quotes=NO_QUOTES) }}} -diff --git a/shared/templates/template_OVAL_shell_lineinfile b/shared/templates/template_OVAL_shell_lineinfile -new file mode 100644 -index 0000000000..fd05b6b568 ---- /dev/null -+++ b/shared/templates/template_OVAL_shell_lineinfile -@@ -0,0 +1,10 @@ -+{{{ -+oval_check_shell_file( -+ path=PATH, -+ parameter=PARAMETER, -+ value=VALUE, -+ no_quotes=NO_QUOTES, -+ missing_parameter_pass=MISSING_PARAMETER_PASS -+) -+}}} -+ -diff --git a/ssg/templates.py b/ssg/templates.py -index f4f56c94e6..c2c82e6c29 100644 ---- a/ssg/templates.py -+++ b/ssg/templates.py -@@ -290,6 +290,29 @@ def sshd_lineinfile(data, lang): - return data - - -+@template(["ansible", "bash", "oval"]) -+def shell_lineinfile(data, lang): -+ value = data["value"] -+ if value[0] in ("'", '"') and value[0] == value[1]: -+ msg = ( -+ "Value >>{value}<< of shell variable '{varname}' " -+ "has been supplied with quotes, please fix the content - " -+ "shell quoting is handled by the check/remediation code." -+ .format(value=value, varname=data["parameter"])) -+ raise Exception(msg) -+ missing_parameter_pass = data.get("missing_parameter_pass", "false") -+ if missing_parameter_pass == "true": -+ missing_parameter_pass = True -+ elif missing_parameter_pass == "false": -+ missing_parameter_pass = False -+ data["missing_parameter_pass"] = missing_parameter_pass -+ no_quotes = False -+ if data["no_quotes"] == "true": -+ no_quotes = True -+ data["no_quotes"] = no_quotes -+ return data -+ -+ - @template(["ansible", "bash", "oval"]) - def timer_enabled(data, lang): - if "packagename" not in data: - -From ac5d1a8ad511e828e652ce1ca58b06c18f8c083b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Tue, 21 Jan 2020 14:13:01 +0100 -Subject: [PATCH 4/7] Fixed the templated string evaluation. - ---- - ssg/templates.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssg/templates.py b/ssg/templates.py -index c2c82e6c29..873f543f41 100644 ---- a/ssg/templates.py -+++ b/ssg/templates.py -@@ -293,7 +293,7 @@ def sshd_lineinfile(data, lang): - @template(["ansible", "bash", "oval"]) - def shell_lineinfile(data, lang): - value = data["value"] -- if value[0] in ("'", '"') and value[0] == value[1]: -+ if value[0] in ("'", '"') and value[0] == value[-1]: - msg = ( - "Value >>{value}<< of shell variable '{varname}' " - "has been supplied with quotes, please fix the content - " - -From 8589574707c63eb3ac4c56674326b70dacfd2ee4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Tue, 21 Jan 2020 14:46:39 +0100 -Subject: [PATCH 5/7] Fixed jinja macros - -- Fixed macro descriptions. -- Fixed Ansible insert_after. ---- - shared/macros-ansible.jinja | 18 ++++++++---------- - shared/macros-bash.jinja | 2 +- - shared/macros-oval.jinja | 7 +++---- - 3 files changed, 12 insertions(+), 15 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index c42a5156ce..81e18e2d5c 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -143,22 +143,20 @@ - - {{# - High level macro to set a value in a shell-related file that contains var assignments. This -- takes these values: msg (the name for the Ansible task), path to the file, a parameter to set -- in the configuration file, and the value to set it to. We specify a case -- sensitive comparison in the prefix since this is used to deduplicate since -+ takes these values: -+ - msg (the name for the Ansible task), -+ - path to the file, -+ - parameter to set in the configuration file, and -+ - value to set it to. - We also specify the validation program here; see 'bash -c "help set" | grep -e -n' - #}} - {{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}} - {{% if no_quotes -%}} - {{%- else -%}} --{{%- set quotes = "\"'" -%}} -- {{% if "$" in value %}} -- {{% set value = '"%s"' % value %}} -- {{% else %}} -- {{% set value = "'%s'" % value %}} -- {{% endif %}} -+{{# Use the double quotes in all cases, as the underlying macro single-quotes the assignment line. #}} -+{{% set value = '"%s"' % value %}} - {{%- endif -%}} --{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}} -+{{{ ansible_set_config_file(msg, path, parameter, separator="=", separator_regex="=", value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^# " ~ parameter) }}} - {{%- endmacro %}} - - {{# -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 6c0bb2facc..dc7fd25588 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -18,7 +18,7 @@ - value=value, - create=true, - insert_after="", -- insert_before="^Match", -+ insert_before="^#\s*" ~ parameter, - insensitive=false, - separator="=", - separator_regex="=", -diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja -index 696cf36db0..cfa9de9d2d 100644 ---- a/shared/macros-oval.jinja -+++ b/shared/macros-oval.jinja -@@ -233,7 +233,7 @@ - - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). - - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). - - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. -- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. -+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system. - - We specify a case insensitive comparison in the prefix because - sshd_config has case-insensitive parameters (but case-sensitive values). -@@ -250,7 +250,7 @@ - - value (String): The variable value WITHOUT QUOTES. - - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). - - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. -- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. -+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system. - #}} - {{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}} - {{% if no_quotes -%}} -@@ -268,8 +268,7 @@ - - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). - - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). - - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. -- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. -- -+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system. - #}} - {{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}} - {{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}} - -From af0e3ba8ef2d5b53dcffed4432ec0415a81ab2bc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Wed, 22 Jan 2020 11:37:39 +0100 -Subject: [PATCH 6/7] Shell lineinfile macros and templates style fixes. - ---- - shared/macros-ansible.jinja | 2 +- - shared/macros-oval.jinja | 10 ++++++++-- - shared/templates/template_ANSIBLE_shell_lineinfile | 4 ++-- - 3 files changed, 11 insertions(+), 5 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 81e18e2d5c..f752e7a2be 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -25,7 +25,7 @@ - {{%- elif insert_before %}} - insertbefore: '{{{ insert_before }}}' - {{%- endif %}} -- {{% else %}} -+ {{%- else %}} - state: '{{{ state }}}' - {{%- endif %}} - {{%- if validate %}} -diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja -index cfa9de9d2d..5f391efdcb 100644 ---- a/shared/macros-oval.jinja -+++ b/shared/macros-oval.jinja -@@ -13,13 +13,16 @@ - - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). - - separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression. - - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). -- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check. -+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check. - - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. - - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. - - section (String): If set, the parameter will be checked only within the given section defined by [section]. - - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info. - #}} - {{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}} -+{{%- if application == '' -%}} -+ {{%- set application = "The respective application or service" -%}} -+{{%- endif -%}} - - - -@@ -248,6 +251,9 @@ - - path (String): Path to the file. - - parameter (String): The shell variable name. - - value (String): The variable value WITHOUT QUOTES. -+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check. -+ - no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes. -+ If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check. - - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). - - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. - - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system. -@@ -342,7 +348,7 @@ - - parameter (String): The parameter to be checked in the configuration file. - - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). - - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). -- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check. -+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check. - - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. - - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. - #}} -diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile -index 7d0a3ebcbd..3e6c5619ea 100644 ---- a/shared/templates/template_ANSIBLE_shell_lineinfile -+++ b/shared/templates/template_ANSIBLE_shell_lineinfile -@@ -3,7 +3,7 @@ - # strategy = restrict - # complexity = low - # disruption = low --{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}} -+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'" -%}} - {{%- if NO_QUOTES -%}} - {{% set msg = "Setting unquoted " ~ msg %}} - {{%- else -%}} -@@ -15,7 +15,7 @@ - path=PATH, - parameter=PARAMETER, - value=VALUE, -- no_quotes=NO_QUOTES -+ no_quotes=NO_QUOTES - ) - }}} - - -From a7779d2fae1086838daa1ded483decd499e8749f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Tue, 21 Jan 2020 16:43:23 +0100 -Subject: [PATCH 7/7] Add a shell_lineinfile template exemplary rule. - ---- - .../ssh_server/sshd_use_strong_rng/rule.yml | 47 +++++++++++++++++++ - .../tests/bad_config.fail.sh | 3 ++ - .../tests/good_config.pass.sh | 3 ++ - .../tests/no_config.fail.sh | 3 ++ - .../sshd_use_strong_rng/tests/quoted.fail.sh | 3 ++ - rhel8/profiles/ospp.profile | 1 + - shared/references/cce-redhat-avail.txt | 1 - - 7 files changed, 60 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml -new file mode 100644 -index 0000000000..4bfb72702b ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml -@@ -0,0 +1,47 @@ -+documentation_complete: true -+ -+# TODO: The plan is not to need this for RHEL>=8.4 -+# TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more -+prodtype: rhel8 -+ -+title: 'SSH server uses strong entropy to seed' -+ -+description: |- -+ To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. -+ The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so -+ make sure that the file contains line -+
SSH_USE_STRONG_RNG=32
-+ -+rationale: |- -+ SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default. -+ Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors -+ in encryption algorithms, and high-quality entropy elliminates the possibility that the output of -+ the random number generator used by SSH would be known to potential attackers. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82462-3 -+ -+references: -+ ospp: FIA_AFL.1 -+ -+ocil: |- -+ To determine whether the SSH service is configured to use strong entropy seed, -+ run
$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd
-+ If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, -+ then the option is set correctly. -+ -+ocil_clause: |- -+ The SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd -+ -+warnings: -+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available." -+ -+template: -+ name: shell_lineinfile -+ vars: -+ path: '/etc/sysconfig/sshd' -+ parameter: 'SSH_USE_STRONG_RNG' -+ value: '32' -+ no_quotes: 'true' -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh -new file mode 100644 -index 0000000000..f4f8c22f64 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh -@@ -0,0 +1,3 @@ -+# platform = multi_platform_rhel -+ -+echo 'SSH_USE_STRONG_RNG=1' > /etc/sysconfig/sshd -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh -new file mode 100644 -index 0000000000..70f53ac22b ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh -@@ -0,0 +1,3 @@ -+# platform = multi_platform_rhel -+ -+echo 'SSH_USE_STRONG_RNG=32' > /etc/sysconfig/sshd -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh -new file mode 100644 -index 0000000000..1e5f0b2998 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh -@@ -0,0 +1,3 @@ -+# platform = multi_platform_rhel -+ -+rm -f /etc/sysconfig/sshd -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh -new file mode 100644 -index 0000000000..a10d24a73b ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh -@@ -0,0 +1,3 @@ -+# platform = multi_platform_rhel -+ -+echo 'SSH_USE_STRONG_RNG="32"' > /etc/sysconfig/sshd -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index f97527a914..63aea526b7 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -58,6 +58,7 @@ selections: - - sshd_set_keepalive - - sshd_enable_warning_banner - - sshd_rekey_limit -+ - sshd_use_strong_rng - - # Time Server - - chronyd_client_only -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index b665fa1cea..1ff291c7df 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -1,4 +1,3 @@ --CCE-82462-3 - CCE-82463-1 - CCE-82464-9 - CCE-82465-6 diff --git a/SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch b/SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch deleted file mode 100644 index 58ad831..0000000 --- a/SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch +++ /dev/null @@ -1,22 +0,0 @@ -From fc99f5b30e1f6e98eac2382949418532fe0a2230 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 3 Feb 2020 10:55:42 +0100 -Subject: [PATCH] Update ISACA COBIT URI. - ---- - shared/transforms/shared_constants.xslt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/transforms/shared_constants.xslt b/shared/transforms/shared_constants.xslt -index e88922d965..0aed1f6337 100644 ---- a/shared/transforms/shared_constants.xslt -+++ b/shared/transforms/shared_constants.xslt -@@ -28,7 +28,7 @@ - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785 - https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731 --http://www.isaca.org/COBIT/Pages/default.aspx -+https://www.isaca.org/resources/cobit - https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf - https://www.niap-ccevs.org/Profile/PP.cfm - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf diff --git a/SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch b/SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch deleted file mode 100644 index b604aaa..0000000 --- a/SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 95ae3d5ca08f511ef40503f758dfb02feca29252 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 21 Jan 2020 13:42:35 +0100 -Subject: [PATCH 1/2] Update configure_crypto_policy test scenarios - -Update test scenarios for OSPP profile, it selects 'FIPS:OSPP' crypto policy, -not 'FIPS'. ---- - .../tests/dropin_file_and_symlink_exist.fail.sh | 4 ++-- - .../tests/file_exists_but_no_file_in_local_d.fail.sh | 2 +- - .../configure_crypto_policy/tests/missing_nss_config.fail.sh | 2 +- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh -index 693cdb03a9..2de1cf4a3b 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh -@@ -1,11 +1,11 @@ - #!/bin/bash - # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 --# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard -+# profiles = xccdf_org.ssgproject.content_profile_ospp - - # using example of opensshserver - DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config" - --update-crypto-policies --set FIPS -+update-crypto-policies --set "FIPS:OSPP" - - echo "" > "$DROPIN_FILE" - echo "CRYPTO_POLICY=" >> "$DROPIN_FILE" -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh -index 5935a38eac..428b76879a 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh -@@ -5,7 +5,7 @@ - #using example of openssh server - CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config" - --update-crypto-policies --set "FIPS" -+update-crypto-policies --set "FIPS:OSPP" - - rm -f /etc/crypto-policies/local.d/opensshserver-*.config - rm -f "$CRYPTO_POLICY_FILE" -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh -index b165006a8d..97bc4b499c 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh -@@ -2,6 +2,6 @@ - # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 - # profiles = xccdf_org.ssgproject.content_profile_ospp - --update-crypto-policies --set "FIPS" -+update-crypto-policies --set "FIPS:OSPP" - - rm -f "/etc/crypto-policies/back-ends/nss.config" - -From dbbd7ecc294ba86544fb96d5a1b06feba9458a28 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 21 Jan 2020 14:07:50 +0100 -Subject: [PATCH 2/2] Remove configure_crypto_policy test scenarios - ---- - .../tests/dropin_file_and_symlink_exist.fail.sh | 11 ----------- - .../file_exists_but_no_file_in_local_d.fail.sh | 13 ------------- - .../tests/override_policy.pass.sh | 11 ----------- - 3 files changed, 35 deletions(-) - delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh - delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh - delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh -deleted file mode 100644 -index 2de1cf4a3b..0000000000 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh -+++ /dev/null -@@ -1,11 +0,0 @@ --#!/bin/bash --# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 --# profiles = xccdf_org.ssgproject.content_profile_ospp -- --# using example of opensshserver --DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config" -- --update-crypto-policies --set "FIPS:OSPP" -- --echo "" > "$DROPIN_FILE" --echo "CRYPTO_POLICY=" >> "$DROPIN_FILE" -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh -deleted file mode 100644 -index 428b76879a..0000000000 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh -+++ /dev/null -@@ -1,13 +0,0 @@ --#!/bin/bash --# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 --# profiles = xccdf_org.ssgproject.content_profile_ospp -- --#using example of openssh server --CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config" -- --update-crypto-policies --set "FIPS:OSPP" -- --rm -f /etc/crypto-policies/local.d/opensshserver-*.config --rm -f "$CRYPTO_POLICY_FILE" -- --echo "pretend that we overide the crrypto policy but no related file is in /etc/crypto-policies/local.d, smart, right?" > "$CRYPTO_POLICY_FILE" -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh -deleted file mode 100644 -index ce37abd7ff..0000000000 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh -+++ /dev/null -@@ -1,11 +0,0 @@ --#!/bin/bash --# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 --# profiles = xccdf_org.ssgproject.content_profile_ospp -- --#using openssh server as example --CRYPTO_POLICY_OVERRIDE_FILE="/etc/crypto-policies/local.d/opensshserver-test.config" -- --echo "" > "$CRYPTO_POLICY_OVERRIDE_FILE" --echo "CRYPTO_POLICY=" >> "$CRYPTO_POLICY_OVERRIDE_FILE" -- --update-crypto-policies --set FIPS:OSPP diff --git a/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch b/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch deleted file mode 100644 index df16070..0000000 --- a/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 10 Feb 2020 16:16:17 +0100 -Subject: [PATCH 1/4] create new rules, add missing reference to older rule - ---- - .../rule.yml | 26 +++++++++++++++ - .../package_openssh-server_installed/rule.yml | 1 + - .../rule.yml | 32 +++++++++++++++++++ - .../rule.yml | 29 +++++++++++++++++ - 5 files changed, 88 insertions(+), 3 deletions(-) - create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml - create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml - create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml - -diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml -new file mode 100644 -index 0000000000..9b3c55f23b ---- /dev/null -+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml -@@ -0,0 +1,26 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Install OpenSSH client software' -+ -+description: |- -+ {{{ describe_package_install(package="openssh-clients") }}} -+ -+rationale: 'The openssh-clients package needs to be installed to meet OSPP criteria.' -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82722-0 -+ -+references: -+ srg: SRG-OS-000480-GPOS-00227 -+ ospp: FIA_UAU.5,FTP_ITC_EXT.1 -+ -+{{{ complete_ocil_entry_package(package='openssh-clients') }}} -+ -+template: -+ name: package_installed -+ vars: -+ pkgname: openssh-clients -diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -index c18e604a5c..ba013ec509 100644 ---- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml -@@ -28,6 +28,7 @@ references: - cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06 - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 13,14 -+ ospp: FIA_UAU.5,FTP_ITC_EXT.1 - - ocil_clause: 'the package is not installed' - -diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -new file mode 100644 -index 0000000000..6025f0cd33 ---- /dev/null -+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -@@ -0,0 +1,32 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Install policycoreutils-python-utils package' -+ -+description: |- -+ {{{ describe_package_install(package="policycoreutils-python-utils") }}} -+ -+rationale: |- -+ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities -+ with enhanced security functionality designed to add mandatory access controls to Linux. -+ The Security-enhanced Linux kernel contains new architectural components originally -+ developed to improve security of the Flask operating system. These architectural components -+ provide general support for the enforcement of many kinds of mandatory access control -+ policies, including those based on the concepts of Type Enforcement, Role-based Access -+ Control, and Multi-level Security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82724-6 -+ -+references: -+ srg: SRG-OS-000480-GPOS-00227 -+ -+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}} -+ -+template: -+ name: package_installed -+ vars: -+ pkgname: policycoreutils-python-utils -diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml -new file mode 100644 -index 0000000000..c418518e7a ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml -@@ -0,0 +1,29 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Install crypto-policies package' -+ -+description: |- -+ {{{ describe_package_install(package="crypto-policies") }}} -+ -+rationale: |- -+ The crypto-policies package provides configuration and tools to -+ apply centralizet cryptographic policies for backends such as SSL/TLS libraries. -+ -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82723-8 -+ -+references: -+ ospp: FCS_COP* -+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 -+ -+{{{ complete_ocil_entry_package(package='crypto-policies') }}} -+ -+template: -+ name: package_installed -+ vars: -+ pkgname: crypto-policies -From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 10 Feb 2020 16:18:03 +0100 -Subject: [PATCH 2/4] modify ospp profile - ---- - rhel8/profiles/ospp.profile | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index 4d5a9edd8e..c672066050 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -169,17 +169,17 @@ selections: - - package_dnf-plugin-subscription-manager_installed - - package_firewalld_installed - - package_iptables_installed -- - package_libcap-ng-utils_installed - - package_openscap-scanner_installed - - package_policycoreutils_installed - - package_rng-tools_installed - - package_sudo_installed - - package_usbguard_installed -- - package_audispd-plugins_installed - - package_scap-security-guide_installed - - package_audit_installed -- - package_gnutls-utils_installed -- - package_nss-tools_installed -+ - package_crypto-policies_installed -+ - package_openssh-server_installed -+ - package_openssh-clients_installed -+ - package_policycoreutils-python-utils_installed - - ### Remove Prohibited Packages - - package_sendmail_removed -@@ -316,7 +316,7 @@ selections: - ## Configure the System to Offload Audit Records to a Log - ## Server - ## AU-4(1) / FAU_GEN.1.1.c -- - auditd_audispd_syslog_plugin_activated -+ # temporarily dropped - - ## Set Logon Warning Banner - ## AC-8(a) / FMT_MOF_EXT.1 - -From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 10 Feb 2020 16:18:52 +0100 -Subject: [PATCH 3/4] add rules to rhel8 stig profile - ---- - rhel8/profiles/stig.profile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile -index 821cc26914..7eb1869a3c 100644 ---- a/rhel8/profiles/stig.profile -+++ b/rhel8/profiles/stig.profile -@@ -33,6 +33,9 @@ selections: - - encrypt_partitions - - sysctl_net_ipv4_tcp_syncookies - - clean_components_post_updating -+ - package_audispd-plugins_installed -+ - package_libcap-ng-utils_installed -+ - auditd_audispd_syslog_plugin_activated - - # Configure TLS for remote logging - - package_rsyslog_installed - -From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 10 Feb 2020 17:42:43 +0100 -Subject: [PATCH 4/4] rephrase some rationales, fix SFR - ---- - .../ssh/package_openssh-clients_installed/rule.yml | 4 +++- - .../rule.yml | 9 ++------- - .../crypto/package_crypto-policies_installed/rule.yml | 8 ++++---- - 3 files changed, 9 insertions(+), 12 deletions(-) - -diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml -index 9b3c55f23b..f5b29d32e8 100644 ---- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml -+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml -@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software' - description: |- - {{{ describe_package_install(package="openssh-clients") }}} - --rationale: 'The openssh-clients package needs to be installed to meet OSPP criteria.' -+rationale: |- -+ This package includes utilities to make encrypted connections and transfer -+ files securely to SSH servers. - - severity: medium - -diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -index 6025f0cd33..7ae7461077 100644 ---- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml -@@ -8,13 +8,8 @@ description: |- - {{{ describe_package_install(package="policycoreutils-python-utils") }}} - - rationale: |- -- Security-enhanced Linux is a feature of the Linux kernel and a number of utilities -- with enhanced security functionality designed to add mandatory access controls to Linux. -- The Security-enhanced Linux kernel contains new architectural components originally -- developed to improve security of the Flask operating system. These architectural components -- provide general support for the enforcement of many kinds of mandatory access control -- policies, including those based on the concepts of Type Enforcement, Role-based Access -- Control, and Multi-level Security. -+ This package is required to operate and manage an SELinux environment and its policies. -+ It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. - - severity: medium - -diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml -index c418518e7a..bb07f9d617 100644 ---- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml -@@ -8,9 +8,9 @@ description: |- - {{{ describe_package_install(package="crypto-policies") }}} - - rationale: |- -- The crypto-policies package provides configuration and tools to -- apply centralizet cryptographic policies for backends such as SSL/TLS libraries. -- -+ Centralized cryptographic policies simplify applying secure ciphers across an operating system and -+ the applications that run on that operating system. Use of weak or untested encryption algorithms -+ undermines the purposes of utilizing encryption to protect data. - - severity: medium - -@@ -18,7 +18,7 @@ identifiers: - cce@rhel8: 82723-8 - - references: -- ospp: FCS_COP* -+ ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4) - srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 - - {{{ complete_ocil_entry_package(package='crypto-policies') }}} diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch new file mode 100644 index 0000000..e859c54 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch @@ -0,0 +1,71 @@ +From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 08:17:20 +0200 +Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated + +--- + .../ansible/shared.yml | 33 +++++++++++++++++++ + 1 file changed, 33 insertions(+) + create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml + +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +new file mode 100644 +index 0000000000..5d76b3c073 +--- /dev/null ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +@@ -0,0 +1,33 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++- name: Configure daily log rotation in /etc/logrotate.conf ++ lineinfile: ++ create: yes ++ dest: "/etc/logrotate.conf" ++ regexp: "^daily$" ++ line: "daily" ++ ++- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf ++ lineinfile: ++ create: no ++ dest: "/etc/logrotate.conf" ++ regexp: "^(weekly|monthly|yearly)$" ++ state: absent ++ ++- name: Configure cron.daily if not already ++ block: ++ - name: Add shebang ++ lineinfile: ++ path: "/etc/cron.daily/logrotate" ++ line: "#!/bin/sh" ++ insertbefore: BOF ++ create: yes ++ - name: Add logrotate call ++ lineinfile: ++ path: "/etc/cron.daily/logrotate" ++ line: '/usr/sbin/logrotate /etc/logrotate.conf' ++ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$' + +From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 14:48:15 +0200 +Subject: [PATCH 2/2] Add test for ensure_logrotate_activated + +Test scenario when monthly is there, but weekly is not. +--- + .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh + +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh +new file mode 100644 +index 0000000000..b10362989b +--- /dev/null ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++sed -i "s/weekly/daily/g" /etc/logrotate.conf ++echo "monthly" >> /etc/logrotate.conf diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch new file mode 100644 index 0000000..a864ebf --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch @@ -0,0 +1,115 @@ +From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 May 2020 20:49:08 +0200 +Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions + +--- + .../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++ + .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++ + 2 files changed, 22 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..a816eea390 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +@@ -0,0 +1,11 @@ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++# platform = Red Hat Enterprise Linux 8 ++ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxSessions" $SSHD_CONFIG; then ++ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG ++ else ++ echo "MaxSessions 4" >> $SSHD_CONFIG ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..b36125f5bb +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +@@ -0,0 +1,11 @@ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++# platform = Red Hat Enterprise Linux 8 ++ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxSessions" $SSHD_CONFIG; then ++ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG ++ else ++ echo "MaxSessions 10" >> $SSHD_CONFIG ++fi + +From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 May 2020 20:53:50 +0200 +Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions + +--- + .../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++ + .../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++ + .../tests/correct_value.pass.sh | 2 +- + .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +- + 4 files changed, 22 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +new file mode 100644 +index 0000000000..a7e171dfe9 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++- (xccdf-var var_sshd_max_sessions) ++ ++{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +new file mode 100644 +index 0000000000..fc0a1d8b42 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +@@ -0,0 +1,12 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++populate var_sshd_max_sessions ++ ++{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +index a816eea390..4cc6d65988 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" + if grep -q "^MaxSessions" $SSHD_CONFIG; then + sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG + else +- echo "MaxSessions 4" >> $SSHD_CONFIG ++ echo "MaxSessions 4" >> $SSHD_CONFIG + fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +index b36125f5bb..bc0c47842a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" + if grep -q "^MaxSessions" $SSHD_CONFIG; then + sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG + else +- echo "MaxSessions 10" >> $SSHD_CONFIG ++ echo "MaxSessions 10" >> $SSHD_CONFIG + fi diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch new file mode 100644 index 0000000..ff529ca --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch @@ -0,0 +1,147 @@ +From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 11:52:35 +0200 +Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line + +Very likey a copy-pasta error from bash remediation for +audit_rules_immutable +--- + .../audit_rules_system_shutdown/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index 1c9748ce9b..b56513cdcd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -8,7 +8,7 @@ + # files to check if '-f .*' setting is present in that '*.rules' file already. + # If found, delete such occurrence since auditctl(8) manual page instructs the + # '-f 2' rule should be placed as the last rule in the configuration +-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' ++find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + + # Append '-f 2' requirement at the end of both: + # * /etc/audit/audit.rules file (for auditctl case) + +From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 12:12:21 +0200 +Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown + +Along with very basic test scenarios +--- + .../ansible/shared.yml | 28 +++++++++++++++++++ + .../tests/augen_correct.pass.sh | 4 +++ + .../tests/augen_e_2_immutable.fail.sh | 3 ++ + 3 files changed, 35 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml +new file mode 100644 +index 0000000000..b9e8fa87fa +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml +@@ -0,0 +1,28 @@ ++# platform = multi_platform_all ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Collect all files from /etc/audit/rules.d with .rules extension ++ find: ++ paths: "/etc/audit/rules.d/" ++ patterns: "*.rules" ++ register: find_rules_d ++ ++- name: Remove the -f option from all Audit config files ++ lineinfile: ++ path: "{{ item }}" ++ regexp: '^\s*(?:-f)\s+.*$' ++ state: absent ++ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" ++ ++- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++ lineinfile: ++ path: "{{ item }}" ++ create: True ++ line: "-f 2" ++ loop: ++ - "/etc/audit/audit.rules" ++ - "/etc/audit/rules.d/immutable.rules" ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh +new file mode 100644 +index 0000000000..0587b937e0 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules ++echo "-f 2" >> /etc/audit/rules.d/immutable.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh +new file mode 100644 +index 0000000000..fa5b7231df +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules + +From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 14:06:08 +0200 +Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name + +--- + .../audit_rules_immutable/ansible/shared.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +index 5ac7b3dabb..1cafb744cc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +@@ -17,7 +17,7 @@ + state: absent + loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" + +-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: + path: "{{ item }}" + create: True + +From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 11:02:56 +0200 +Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix + +--- + .../audit_rules_system_shutdown/bash/shared.sh | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index b56513cdcd..a349bb1ca1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -4,16 +4,8 @@ + # + # /etc/audit/audit.rules, (for auditctl case) + # /etc/audit/rules.d/*.rules (for augenrules case) +-# +-# files to check if '-f .*' setting is present in that '*.rules' file already. +-# If found, delete such occurrence since auditctl(8) manual page instructs the +-# '-f 2' rule should be placed as the last rule in the configuration + find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + +-# Append '-f 2' requirement at the end of both: +-# * /etc/audit/audit.rules file (for auditctl case) +-# * /etc/audit/rules.d/immutable.rules (for augenrules case) +- + for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" + do + echo '' >> $AUDIT_FILE diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch new file mode 100644 index 0000000..2b5acdc --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch @@ -0,0 +1,49 @@ +From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 21 May 2020 18:16:43 +0200 +Subject: [PATCH] Attribute content to CIS + +And update the description a bit. +--- + rhel7/profiles/cis.profile | 8 +++++--- + rhel8/profiles/cis.profile | 8 +++++--- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 0826a49547..829c388133 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -3,9 +3,11 @@ documentation_complete: true + title: 'CIS Red Hat Enterprise Linux 7 Benchmark' + + description: |- +- This baseline aligns to the Center for Internet Security +- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released +- 12-27-2017. ++ This profile defines a baseline that aligns to the Center for Internet Security® ++ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 7 CIS Benchmarks™ content. + + selections: + # Necessary for dconf rules +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index f332ee5462..868b9f21a6 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -3,9 +3,11 @@ documentation_complete: true + title: 'CIS Red Hat Enterprise Linux 8 Benchmark' + + description: |- +- This baseline aligns to the Center for Internet Security +- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released +- 09-30-2019. ++ This profile defines a baseline that aligns to the Center for Internet Security® ++ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + + selections: + # Necessary for dconf rules diff --git a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch new file mode 100644 index 0000000..3c4f3b1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch @@ -0,0 +1,274 @@ +From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 25 May 2020 12:17:48 +0200 +Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8 + +--- + rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ + rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ + 2 files changed, 250 insertions(+) + create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg + create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg + +diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg +new file mode 100644 +index 0000000000..14c82c4231 +--- /dev/null ++++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg +@@ -0,0 +1,125 @@ ++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2020-05-25 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with HIPAA profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_hipaa ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg +new file mode 100644 +index 0000000000..861db36f18 +--- /dev/null ++++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg +@@ -0,0 +1,125 @@ ++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2020-05-25 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with HIPAA profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_hipaa ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch new file mode 100644 index 0000000..e6dc9cb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch @@ -0,0 +1,76 @@ +From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 22 May 2020 14:12:18 +0200 +Subject: [PATCH] Add missing CCEs for RHEL8 + +--- + .../password_storage/no_netrc_files/rule.yml | 1 + + .../accounts_user_interactive_home_directory_exists/rule.yml | 1 + + .../file_groupownership_home_directories/rule.yml | 1 + + shared/references/cce-redhat-avail.txt | 3 --- + 4 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +index 8547893201..1bd1f5742e 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 27225-2 + cce@rhel7: 80211-6 ++ cce@rhel8: 83444-0 + cce@ocp4: 82667-7 + + references: +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index bedf3a0b19..e69bc9d736 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel7: 80529-1 ++ cce@rhel8: 83424-2 + + references: + stigid@ol7: "020620" +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index 1c5ac8d099..f931f6d160 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel7: 80532-5 ++ cce@rhel8: 83434-1 + + references: + stigid@ol7: "020650" +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 2f0d2a526b..45d03a2c1d 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -95,7 +95,6 @@ CCE-83411-9 + CCE-83421-8 + CCE-83422-6 + CCE-83423-4 +-CCE-83424-2 + CCE-83425-9 + CCE-83426-7 + CCE-83427-5 +@@ -105,7 +104,6 @@ CCE-83430-9 + CCE-83431-7 + CCE-83432-5 + CCE-83433-3 +-CCE-83434-1 + CCE-83435-8 + CCE-83436-6 + CCE-83437-4 +@@ -115,7 +113,6 @@ CCE-83440-8 + CCE-83441-6 + CCE-83442-4 + CCE-83443-2 +-CCE-83444-0 + CCE-83445-7 + CCE-83446-5 + CCE-83447-3 diff --git a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch new file mode 100644 index 0000000..b435b97 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch @@ -0,0 +1,103 @@ +From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 13:30:24 +0200 +Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins + +--- + .../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +index e9a29a24d5..6fbb7c72a5 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +@@ -3,13 +3,9 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- name: Test for existence of /etc/securetty +- stat: +- path: /etc/securetty +- register: securetty_empty ++ + + - name: "Direct root Logins Not Allowed" + copy: + dest: /etc/securetty + content: "" +- when: securetty_empty.stat.size > 1 + +From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 14:21:38 +0200 +Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8 + +--- + shared/templates/template_ANSIBLE_sebool | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool +index 29f37081be..38d7c7c350 100644 +--- a/shared/templates/template_ANSIBLE_sebool ++++ b/shared/templates/template_ANSIBLE_sebool +@@ -13,11 +13,17 @@ + {{% else %}} + - (xccdf-var var_{{{ SEBOOLID }}}) + ++{{% if product == "rhel8" %}} ++- name: Ensure python3-libsemanage installed ++ package: ++ name: python3-libsemanage ++ state: present ++{{% else %}} + - name: Ensure libsemanage-python installed + package: + name: libsemanage-python + state: present +- ++{{% endif %}} + - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly + seboolean: + name: {{{ SEBOOLID }}} + +From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 14:57:05 +0200 +Subject: [PATCH 3/3] add tests for no_direct_root_logins + +--- + .../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++ + .../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++ + .../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++ + 3 files changed, 9 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh +new file mode 100644 +index 0000000000..17251f6a98 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo > /etc/securetty +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh +new file mode 100644 +index 0000000000..c764814b26 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++rm -f /etc/securetty +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh +new file mode 100644 +index 0000000000..43ac341e87 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "something" > /etc/securetty diff --git a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch new file mode 100644 index 0000000..5c6664f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch @@ -0,0 +1,308 @@ +From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 26 May 2020 17:49:21 +0200 +Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation. + +Affected rules: + - selinux_policytype + - selinux_state +--- + .../selinux/selinux_policytype/ansible/shared.yml | 9 ++------- + .../selinux/selinux_policytype/bash/shared.sh | 5 +++-- + .../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++ + .../selinux/selinux_state/ansible/shared.yml | 9 ++------- + .../system/selinux/selinux_state/bash/shared.sh | 5 +++-- + .../selinux_state/tests/selinux_missing.fail.sh | 5 +++++ + .../tests/selinux_permissive.fail.sh | 10 ++++++++++ + shared/macros-ansible.jinja | 11 +++++++++++ + shared/macros-bash.jinja | 15 +++++++++++++++ + 9 files changed, 61 insertions(+), 18 deletions(-) + create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +index 5c70cc9f7f..9f8cf66dfb 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +@@ -3,11 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low + - (xccdf-var var_selinux_policy_name) + +-- name: "{{{ rule_title }}}" +- lineinfile: +- path: /etc/sysconfig/selinux +- regexp: '^SELINUXTYPE=' +- line: "SELINUXTYPE={{ var_selinux_policy_name }}" +- create: yes ++{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}} +diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +index d0fbbf4446..2b5ce31b12 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +@@ -1,7 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +-# ++ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions ++ + populate var_selinux_policy_name + +-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s' ++{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}} +diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +new file mode 100644 +index 0000000000..1a6eb94953 +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++ ++if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then ++ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE ++else ++ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE ++fi +diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml +index b465ac6729..1c1560a86c 100644 +--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml +@@ -3,11 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low + - (xccdf-var var_selinux_state) + +-- name: "{{{ rule_title }}}" +- lineinfile: +- path: /etc/sysconfig/selinux +- regexp: '^SELINUX=' +- line: "SELINUX={{ var_selinux_state }}" +- create: yes ++{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}} +diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +index 58193b5504..a402a861d7 100644 +--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +@@ -1,10 +1,11 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv +-# ++ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions ++ + populate var_selinux_state + +-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' ++{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}} + + fixfiles onboot + fixfiles -f relabel +diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh +new file mode 100644 +index 0000000000..180dd80791 +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE +diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh +new file mode 100644 +index 0000000000..3db1e56b5f +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++ ++if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then ++ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE ++else ++ echo 'SELINUX=permissive' >> $SELINUX_FILE ++fi +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 6798a25d1f..01d3155b37 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}" + {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} + {{%- endmacro %}} + ++{{# ++ High level macro to set a parameter in /etc/selinux/config. ++ Parameters: ++ - msg: the name for the Ansible task ++ - parameter: parameter to be set in the configuration file ++ - value: value of the parameter ++#}} ++{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} ++{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} ++{{%- endmacro %}} ++ + {{# + Generates an Ansible task that puts 'contents' into a file at 'filepath' + Parameters: +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 3a94fe5dd8..2531d1c52d 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -86,6 +86,21 @@ populate {{{ name }}} + }}} + {{%- endmacro -%}} + ++{{%- macro bash_selinux_config_set(parameter, value) -%}} ++{{{ set_config_file( ++ path="/etc/selinux/config", ++ parameter=parameter, ++ value=value, ++ create=true, ++ insert_after="", ++ insert_before="", ++ insensitive=true, ++ separator="=", ++ separator_regex="\s*=\s*", ++ prefix_regex="^\s*") ++ }}} ++{{%- endmacro -%}} ++ + {{# + # Install a package + # Uses the right command based on pkg_manger proprerty defined in product.yaml. + +From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 27 May 2020 18:48:57 +0200 +Subject: [PATCH 2/2] Remediation requires reboot. + +Update OVAL check to disallow spaces. +Removed selinuxtype_minimum test scenario since breaks the system. +--- + .../selinux/selinux_policytype/ansible/shared.yml | 2 +- + .../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++ + .../system/selinux/selinux_policytype/oval/shared.xml | 2 +- + .../tests/selinuxtype_minimum.fail.sh | 10 ---------- + .../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++ + .../guide/system/selinux/selinux_state/oval/shared.xml | 2 +- + shared/macros-ansible.jinja | 2 +- + shared/macros-bash.jinja | 4 ++-- + 8 files changed, 14 insertions(+), 16 deletions(-) + delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +index 9f8cf66dfb..73e6ec7cd4 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +@@ -1,5 +1,5 @@ + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +-# reboot = false ++# reboot = true + # strategy = restrict + # complexity = low + # disruption = low +diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +index 2b5ce31b12..b4f79c97f9 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +@@ -1,4 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml +index f1840a1290..3d69fff07f 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml ++++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml +@@ -27,7 +27,7 @@ + + + /etc/selinux/config +- ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) ++ ^SELINUXTYPE=(.*)$ + 1 + +
+diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +deleted file mode 100644 +index 1a6eb94953..0000000000 +--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh ++++ /dev/null +@@ -1,10 +0,0 @@ +-#!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp +- +-SELINUX_FILE='/etc/selinux/config' +- +-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then +- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE +-else +- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE +-fi +diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +index a402a861d7..645a7acab4 100644 +--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +@@ -1,4 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml +index c0881696e1..8c328060af 100644 +--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml ++++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml +@@ -18,7 +18,7 @@ + + + /etc/selinux/config +- ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ ++ ^SELINUX=(.*)$ + 1 + + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 01d3155b37..580a0b948e 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}" + - value: value of the parameter + #}} + {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} +-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} ++{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}} + {{%- endmacro %}} + + {{# +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 2531d1c52d..8abcc914d3 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -96,8 +96,8 @@ populate {{{ name }}} + insert_before="", + insensitive=true, + separator="=", +- separator_regex="\s*=\s*", +- prefix_regex="^\s*") ++ separator_regex="=", ++ prefix_regex="^") + }}} + {{%- endmacro -%}} + diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch new file mode 100644 index 0000000..1e028b7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch @@ -0,0 +1,40 @@ +From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 23:36:18 +0200 +Subject: [PATCH] Ansible mount_option: split mount and option task + +Separate task that adds mount options mounts the mountpoint into two tasks. +Conditioning the "mount" task on the absence of the target mount option +caused the task to always be skipped when mount option was alredy present, +and could result in the mount point not being mounted. +--- + shared/templates/template_ANSIBLE_mount_option | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option +index 95bede25f9..a0cf8d6b7a 100644 +--- a/shared/templates/template_ANSIBLE_mount_option ++++ b/shared/templates/template_ANSIBLE_mount_option +@@ -26,14 +26,19 @@ + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + +-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} ++- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options ++ set_fact: ++ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}" ++ when: ++ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options ++ ++- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option + mount: + path: "{{{ MOUNTPOINT }}}" + src: "{{ mount_info.source }}" +- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" ++ opts: "{{ mount_info.options }}" + state: "mounted" + fstype: "{{ mount_info.fstype }}" + when: +- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options + - device_name.stdout is defined + - (device_name.stdout | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch new file mode 100644 index 0000000..47b9cdb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch @@ -0,0 +1,33 @@ +From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 14 May 2020 16:46:07 +0200 +Subject: [PATCH] reorder groups because of permissions verification + +--- + ssg/build_yaml.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index e3e138283c..c9f3179c08 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -700,6 +700,11 @@ def to_xml_element(self): + # audit_rules_privileged_commands, othervise the rule + # does not catch newly installed screeen binary during remediation + # and report fail ++ # the software group should come before the ++ # bootloader-grub2 group because of conflict between ++ # rules rpm_verify_permissions and file_permissions_grub2_cfg ++ # specific rules concerning permissions should ++ # be applied after the general rpm_verify_permissions + # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. + # the firewalld_activation must come before ruleset_modifications, othervise + # remediations for ruleset_modifications won't work +@@ -707,6 +712,7 @@ def to_xml_element(self): + # otherwise the remediation prints error although it is successful + priority_order = [ + "accounts", "auditing", ++ "software", "bootloader-grub2", + "fips", "crypto", + "firewalld_activation", "ruleset_modifications", + "disabling_ipv6", "configuring_ipv6" diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch b/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch new file mode 100644 index 0000000..34531f1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch @@ -0,0 +1,171 @@ +From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 14 May 2020 01:20:53 +0200 +Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig + +All paths in /etc/rsyslog.conf were taken as log files, but paths +in lines containing "include" or "$IncludeConfig" are config files. + +Let's not take them in as log files +--- + .../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +index a78cd69df2..c74f3da3f5 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +@@ -87,8 +87,18 @@ + --> + ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 ++ state_ignore_include_paths +
+ ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) ++ ++ + + +From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 14 May 2020 00:16:37 +0200 +Subject: [PATCH 2/4] Fix permissions of files referenced by include() + +The remediation script also needs to parse the files included via +"include()". +The awk also takes into consideration the multiline aspect. +--- + .../rsyslog_files_permissions/bash/shared.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 6cbf0c6a24..dca35301e7 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" + # * And also the log file paths listed after rsyslog's $IncludeConfig directive + # (store the result into array for the case there's shell glob used as value of IncludeConfig) + readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) ++readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++ + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + + # Browse each file selected above as containing paths of log files + # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) +-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" ++for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}" + do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + +From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 15:53:58 +0200 +Subject: [PATCH 3/4] Make regex for include file more strict + +For some reason gensub in awk doesn't support non capturing group. +So the group with OR is capturing and we substitute everyting with the +second group, witch matches the file path. +--- + .../rsyslog_files_permissions/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index dca35301e7..99d2d0e794 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" + # * And also the log file paths listed after rsyslog's $IncludeConfig directive + # (store the result into array for the case there's shell glob used as value of IncludeConfig) + readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) + + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + +From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 16:55:02 +0200 +Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership + +These three files basically work the same way +--- + .../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++ + .../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++ + .../rsyslog_files_permissions/oval/shared.xml | 4 ++-- + 3 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +index 5828f25321..9941e2b94f 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +@@ -86,8 +86,18 @@ + --> + ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 ++ state_groupownership_ignore_include_paths +
+ ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) ++ ++ + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml +index 3c46eab6d6..29dd1a989e 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml +@@ -83,8 +83,18 @@ + --> + ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 ++ state_owner_ignore_include_paths + + ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) ++ ++ + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +index c74f3da3f5..da37a15b8c 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +@@ -87,10 +87,10 @@ + --> + ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 +- state_ignore_include_paths ++ state_permissions_ignore_include_paths + + +- ++ + +- +- +- +- + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- -1 +- +- +- +- +- -1 +- +- +- +- +- +- +- +- +- variable_default_range_quad_expr +- +- +- +- +- 0 +- +- + + +- +- +- +- ++ ++ ++ ++ ++ ++ ++ 0 ++ ++ ++ ++ + + + + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- -1 +- +- +- +- +- +- +- +- +- variable_reserved_range_quad_expr +- +- +- +- +- 0 +- +- + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- -1 +- +- +- +- +- +- +- +- +- +- -1 +- +- +- +- +- +- +- +- +- variable_dynalloc_range_quad_expr +- ++ ++ ++ ++ + +- +- +- 0 +- ++ ++ ++ + + + +- +- +- +- ++ ++ ++ ++ + ++ ++ ++ ++ ++ ++ +
+ +From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 4 Jun 2020 14:04:37 +0200 +Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs + +--- + .../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +- + .../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +-- + .../tests/only_system_users.pass.sh | 3 +-- + .../tests/system_user_with_shell.fail.sh | 3 +-- + 4 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh +index 6d48ad78fd..833831f79d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh +@@ -1,4 +1,4 @@ ++#!/bin/bash + # remediation = none + +-#!/bin/bash + true +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh +index bc4f9cee8c..6769895eb2 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh +@@ -1,6 +1,5 @@ +-# remediation = none +- + #!/bin/bash ++# remediation = none + + # Force unset of SYS_UID values + sed -i '/^SYS_UID_MIN/d' /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh +index 0cdb820bbb..06edf671ce 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh +@@ -1,6 +1,5 @@ +-# remediation = none +- + #!/bin/bash ++# remediation = none + + # remove any non-system user + sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh +index 7639a8809d..10312593b8 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh +@@ -1,6 +1,5 @@ +-# remediation = none +- + #!/bin/bash ++# remediation = none + + # change system user "mail" shell to bash + usermod --shell /bin/bash mail diff --git a/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch b/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch new file mode 100644 index 0000000..218e89b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch @@ -0,0 +1,163 @@ +From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 25 Jun 2020 09:53:38 +0200 +Subject: [PATCH 1/3] fixed description, oval, ansible, bash + +--- + .../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- + .../configure_openssl_crypto_policy/bash/shared.sh | 4 ++-- + .../configure_openssl_crypto_policy/oval/shared.xml | 2 +- + .../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++----- + 4 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +index e6318f221c..98fe134aca 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +@@ -15,7 +15,7 @@ + lineinfile: + create: yes + insertafter: '^\s*\[\s*crypto_policy\s*]\s*' +- line: ".include /etc/crypto-policies/back-ends/openssl.config" ++ line: ".include /etc/crypto-policies/back-ends/opensslcnf.config" + path: /etc/pki/tls/openssl.cnf + when: + - test_crypto_policy_group.stdout is defined +@@ -24,7 +24,7 @@ + - name: "Add crypto_policy group and set include openssl.config" + lineinfile: + create: yes +- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config" ++ line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config" + path: /etc/pki/tls/openssl.cnf + when: + - test_crypto_policy_group.stdout is defined +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +index 0b3cbf3b46..a0b30cce96 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +@@ -2,8 +2,8 @@ + + OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' + OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' +-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config' +-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$' ++OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' ++OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' + + function remediate_openssl_crypto_policy() { + CONFIG_FILE="/etc/pki/tls/openssl.cnf" +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml +index a9b3f7b6e9..2019769736 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml +@@ -20,7 +20,7 @@ + + /etc/pki/tls/openssl.cnf +- ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$ ++ ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$ + 1 + + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +index 8c015bb3b2..1a66570a8c 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +@@ -11,7 +11,7 @@ description: |- + To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file + available under /etc/pki/tls/openssl.cnf. + This file has the ini format, and it enables crypto policy support +- if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/openssl.config directive. ++ if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. + + rationale: |- + Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, +@@ -29,11 +29,11 @@ references: + + ocil_clause: |- + the OpenSSL config file doesn't contain the whole section, +- or that the section doesn't have the
.include /etc/crypto-policies/back-ends/openssl.config
directive ++ or that the section doesn't have the
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive + + ocil: |- +- To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file ++ To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file +
/etc/pki/tls/openssl.cnf
contains the
[ crypto_policy ]
section with the +-
.include /etc/crypto-policies/back-ends/openssl.config
directive: +-
grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf
. ++
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive: ++
grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf
. + + +From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 25 Jun 2020 09:54:09 +0200 +Subject: [PATCH 2/3] updated tests + +--- + .../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +- + .../tests/wrong.fail.sh | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh +index 5b8334735e..c56916883e 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh +@@ -6,5 +6,5 @@ + + create_config_file_with "[ crypto_policy ] + +-.include /etc/crypto-policies/back-ends/openssl.config ++.include /etc/crypto-policies/back-ends/opensslcnf.config + " +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh +new file mode 100644 +index 0000000000..5b8334735e +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard ++ ++. common.sh ++ ++create_config_file_with "[ crypto_policy ] ++ ++.include /etc/crypto-policies/back-ends/openssl.config ++" + +From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 25 Jun 2020 17:32:00 +0200 +Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config + file. + +--- + .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +index 98fe134aca..986543c10f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +@@ -11,7 +11,7 @@ + changed_when: False + check_mode: no + +-- name: "Add .include for openssl.config to crypto_policy section" ++- name: "Add .include for opensslcnf.config to crypto_policy section" + lineinfile: + create: yes + insertafter: '^\s*\[\s*crypto_policy\s*]\s*' +@@ -21,7 +21,7 @@ + - test_crypto_policy_group.stdout is defined + - test_crypto_policy_group.stdout | length > 0 + +-- name: "Add crypto_policy group and set include openssl.config" ++- name: "Add crypto_policy group and set include opensslcnf.config" + lineinfile: + create: yes + line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config" diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch new file mode 100644 index 0000000..77a9e01 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch @@ -0,0 +1,383 @@ +From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 19 May 2020 15:49:34 +0200 +Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized. + +Introduce the rekey_limit_size and rekey_limit_time XCCDF values +to make the rule more flexible. +--- + .../sshd_rekey_limit/bash/shared.sh | 9 ++++ + .../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++ + .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +----- + .../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++ + .../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++ + .../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++ + .../sshd_rekey_limit/tests/ok.pass.sh | 4 ++ + .../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++ + .../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++ + rhel8/profiles/ospp.profile | 2 + + 10 files changed, 99 insertions(+), 10 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var + create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh +new file mode 100644 +index 0000000000..2620c2d49e +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = multi_platform_all ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++populate var_rekey_limit_size ++populate var_rekey_limit_time ++ ++{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +new file mode 100644 +index 0000000000..57aa090948 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +@@ -0,0 +1,43 @@ ++{{% set filepath = "/etc/ssh/sshd_config" %}} ++{{% set parameter = "RekeyLimit" %}} ++ ++ ++ ++ ++ ++ {{{ rule_title }}} ++ {{{- oval_affected(products) }}} ++ Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}' ++ ++ ++ {{{- application_not_required_or_requirement_unset() }}} ++ {{{- application_required_or_requirement_unset() }}} ++ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ filepath }}} ++ ++ 1 ++ ++ ++ ++ ++ ^[\s]*RekeyLimit[\s]+ ++ ++ [\s]+ ++ ++ [\s]*$ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +index e11678faa0..4936a381f5 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +@@ -7,7 +7,7 @@ description: |- + the session key of the is renegotiated, both in terms of + amount of data that may be transmitted and the time + elapsed. To decrease the default limits, put line +- RekeyLimit 512M 1h to file /etc/ssh/sshd_config. ++ RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}} to file /etc/ssh/sshd_config. + + rationale: |- + By decreasing the limit based on the amount of data and enabling +@@ -30,12 +30,4 @@ ocil: |- + following command: +
$ sudo grep RekeyLimit /etc/ssh/sshd_config
+ If configured properly, output should be +-
RekeyLimit 512M 1h
+- +-template: +- name: sshd_lineinfile +- vars: +- missing_parameter_pass: 'false' +- parameter: RekeyLimit +- rule_id: sshd_rekey_limit +- value: 512M 1h ++
RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh +new file mode 100644 +index 0000000000..2ac0bbf350 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh +new file mode 100644 +index 0000000000..fec859fe05 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh +new file mode 100644 +index 0000000000..a6cd10163f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh +new file mode 100644 +index 0000000000..a6a2ba7adf +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var +new file mode 100644 +index 0000000000..16dc376508 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++title: 'SSH RekeyLimit - size' ++ ++description: 'Specify the size component of the rekey limit.' ++ ++type: string ++ ++operator: equals ++ ++options: ++ sshd_default: "default" ++ default: "512M" ++ "512M": "512M" +diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var +new file mode 100644 +index 0000000000..8801fbbf6f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++title: 'SSH RekeyLimit - size' ++ ++description: 'Specify the size component of the rekey limit.' ++ ++type: string ++ ++operator: equals ++ ++options: ++ sshd_default: "none" ++ default: "1h" ++ "1hour": "1h" +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index c672066050..a5223a187f 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -58,6 +58,8 @@ selections: + - sshd_set_keepalive + - sshd_enable_warning_banner + - sshd_rekey_limit ++ - var_rekey_limit_size=512M ++ - var_rekey_limit_time=1hour + - sshd_use_strong_rng + - openssl_use_strong_entropy + + +From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 19 May 2020 17:57:12 +0200 +Subject: [PATCH 2/5] Updated stable profile definitions. + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 ++ + tests/data/profile_stability/rhel8/stig.profile | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 23039c82b4..bdda39a903 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -214,6 +214,8 @@ selections: + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub + - var_sshd_set_keepalive=0 ++- var_rekey_limit_size=512M ++- var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + - var_password_pam_difok=4 + - var_password_pam_maxrepeat=3 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index cd31b73700..ebef541921 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the + + - Red Hat Containers with a Red Hat Enterprise Linux 8 image' + documentation_complete: true +-extends: ospp + selections: + - account_disable_post_pw_expiration + - account_temp_expire_date +@@ -243,6 +242,8 @@ selections: + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub + - var_sshd_set_keepalive=0 ++- var_rekey_limit_size=512M ++- var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + - var_password_pam_difok=4 + - var_password_pam_maxrepeat=3 + +From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 22 May 2020 11:43:36 +0200 +Subject: [PATCH 3/5] Improved how variables are handled in remediations. + +--- + shared/macros-ansible.jinja | 14 ++++++++++++++ + shared/macros-bash.jinja | 15 +++++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 56a3f5f3ec..6798a25d1f 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -1,3 +1,17 @@ ++{{# ++Pass strings that correspond to XCCDF value names as arguments to this macro: ++ansible_instantiate_variables("varname1", "varname2") ++ ++Then, assume that the task that follows can work with the variable by referencing it, e.g. ++value: "Setting={{ varname1 }}" ++ ++#}} ++{{%- macro ansible_instantiate_variables() -%}} ++{{%- for name in varargs -%}} ++- (xccdf-var {{{ name }}}) ++{{% endfor -%}} ++{{%- endmacro -%}} ++ + {{# + A wrapper over the Ansible lineinfile module. This handles the most common + options for us. regex is optional and when blank, it won't be included in +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 01b9e62e7b..3a94fe5dd8 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -1,5 +1,20 @@ + {{# ##### High level macros ##### #}} + ++{{# ++Pass strings that correspond to XCCDF value names as arguments to this macro: ++bash_instantiate_variables("varname1", "varname2") ++ ++Then, assume that variables of that names are defined and contain the correct value, e.g. ++echo "Setting=$varname1" >> config_file ++ ++#}} ++{{%- macro bash_instantiate_variables() -%}} ++{{%- for name in varargs -%}} ++populate {{{ name }}} ++{{# this line is intentionally left blank #}} ++{{% endfor -%}} ++{{%- endmacro -%}} ++ + {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}} + {{% if no_quotes -%}} + {{% if "$" in value %}} + +From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 22 May 2020 11:44:08 +0200 +Subject: [PATCH 4/5] Fixed Bash and Ansible remediations. + +--- + .../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++ + .../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +-- + 2 files changed, 9 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml +new file mode 100644 +index 0000000000..43a2d4521f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all [0/453] ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}} ++ ++{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh +index 2620c2d49e..0277f31392 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh +@@ -3,7 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_rekey_limit_size +-populate var_rekey_limit_time ++{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}} + + {{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}} + +From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 22 May 2020 11:49:04 +0200 +Subject: [PATCH 5/5] Improved the OVAL according to the review feedback. + +--- + .../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +index 57aa090948..47796e5332 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +@@ -1,5 +1,4 @@ +-{{% set filepath = "/etc/ssh/sshd_config" %}} +-{{% set parameter = "RekeyLimit" %}} ++{{% set filepath = "/etc/ssh/sshd_config" -%}} + + + +@@ -7,7 +6,7 @@ + + {{{ rule_title }}} + {{{- oval_affected(products) }}} +- Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}' ++ Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' + + + {{{- application_not_required_or_requirement_unset() }}} diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch new file mode 100644 index 0000000..2b758fb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch @@ -0,0 +1,102 @@ +From 279b1d8b585d3521d4910ec8aa69583f9b7031ac Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 25 May 2020 10:51:24 +0200 +Subject: [PATCH 1/3] change rekey limit to 1G 1h in rhel8 ospp + +--- + .../guide/services/ssh/ssh_server/var_rekey_limit_size.var | 1 + + rhel8/profiles/ospp.profile | 2 +- + rhel8/profiles/stig.profile | 3 +++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var +index 16dc376508..395a087a68 100644 +--- a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var ++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var +@@ -12,3 +12,4 @@ options: + sshd_default: "default" + default: "512M" + "512M": "512M" ++ "1G": "1G" +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index a5223a187f..0dca8350f9 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -58,7 +58,7 @@ selections: + - sshd_set_keepalive + - sshd_enable_warning_banner + - sshd_rekey_limit +- - var_rekey_limit_size=512M ++ - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - sshd_use_strong_rng + - openssl_use_strong_entropy +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 2bb81cf9dc..a156857647 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -44,3 +44,6 @@ selections: + - package_rsyslog-gnutls_installed + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert ++ - sshd_rekey_limit ++ - var_rekey_limit_size=512M ++ - var_rekey_limit_time=1hour + +From d8ce7bb5f47665e40b6ec2c47e565bb7c46164a9 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 25 May 2020 10:51:54 +0200 +Subject: [PATCH 2/3] update stable ospp profile + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index bdda39a903..25f7922bf3 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -214,7 +214,7 @@ selections: + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub + - var_sshd_set_keepalive=0 +-- var_rekey_limit_size=512M ++- var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + - var_password_pam_difok=4 + +From 6623ece14b6534164a3b953fd43111cae4a3eeea Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 28 May 2020 09:30:58 +0200 +Subject: [PATCH 3/3] propagate change also into stig profile + +--- + rhel8/profiles/stig.profile | 3 --- + tests/data/profile_stability/rhel8/stig.profile | 2 +- + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index a156857647..2bb81cf9dc 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -44,6 +44,3 @@ selections: + - package_rsyslog-gnutls_installed + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert +- - sshd_rekey_limit +- - var_rekey_limit_size=512M +- - var_rekey_limit_time=1hour +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index ebef541921..6c4270925f 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -242,7 +242,7 @@ selections: + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub + - var_sshd_set_keepalive=0 +-- var_rekey_limit_size=512M ++- var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + - var_password_pam_difok=4 diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch new file mode 100644 index 0000000..8ebfb97 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch @@ -0,0 +1,798 @@ +From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 27 May 2020 14:34:50 +0200 +Subject: [PATCH 01/11] add rule, variables, check, remediations + +--- + .../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++ + .../ssh_client_rekey_limit/bash/shared.sh | 8 ++++ + .../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++ + .../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++ + .../var_ssh_client_rekey_limit_size.var | 15 +++++++ + .../var_ssh_client_rekey_limit_time.var | 14 +++++++ + shared/references/cce-redhat-avail.txt | 1 - + 7 files changed, 118 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var + create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +new file mode 100644 +index 0000000000..6d2bcbbd44 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all [0/453] ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} ++ ++{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}} +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +new file mode 100644 +index 0000000000..43d0971ffc +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} ++ ++{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +new file mode 100644 +index 0000000000..2412763e3f +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +@@ -0,0 +1,39 @@ ++{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}} ++ ++ ++ ++ ++ ++ {{{ rule_title }}} ++ {{{- oval_affected(products) }}} ++ Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' ++ ++ ++ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ filepath }}} ++ ++ 1 ++ ++ ++ ++ ++ ^[\s]*RekeyLimit[\s]+ ++ ++ [\s]+ ++ ++ [\s]*$ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +new file mode 100644 +index 0000000000..a1b85b0ee5 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure session renegotiation for SSH client' ++ ++description: |- ++ The RekeyLimit parameter specifies how often ++ the session key is renegotiated, both in terms of ++ amount of data that may be transmitted and the time ++ elapsed. To decrease the default limits, put line ++ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. ++ ++rationale: |- ++ By decreasing the limit based on the amount of data and enabling ++ time-based limit, effects of potential attacks against ++ encryption keys are limited. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82880-6 ++ ++references: ++ ospp: FCS_SSHS_EXT.1 ++ ++ocil_clause: 'it is commented out or is not set' ++ ++ocil: |- ++ To check if RekeyLimit is set correctly, run the ++ following command: ++
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
++ If configured properly, output should be ++
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
+diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +new file mode 100644 +index 0000000000..bcf051fd97 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +@@ -0,0 +1,15 @@ ++documentation_complete: true ++ ++title: 'SSH client RekeyLimit - size' ++ ++description: 'Specify the size component of the rekey limit.' ++ ++type: string ++ ++operator: equals ++ ++options: ++ ssh_client_default: "default" ++ default: "512M" ++ "512M": "512M" ++ "1G": "1G" +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +new file mode 100644 +index 0000000000..31c76f9ab5 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++title: 'SSH client RekeyLimit - size' ++ ++description: 'Specify the size component of the rekey limit.' ++ ++type: string ++ ++operator: equals ++ ++options: ++ ssh_client_default: "none" ++ default: "1h" ++ "1hour": "1h" +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 45d03a2c1d..e060d2fb1c 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1,4 +1,3 @@ +-CCE-82880-6 + CCE-82882-2 + CCE-82883-0 + CCE-82888-9 + +From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 27 May 2020 14:35:24 +0200 +Subject: [PATCH 02/11] add tests + +--- + .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++ + .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++ + .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++ + .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++ + 4 files changed, 15 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +new file mode 100644 +index 0000000000..2ac0bbf350 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +new file mode 100644 +index 0000000000..fec859fe05 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +new file mode 100644 +index 0000000000..a6cd10163f +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +new file mode 100644 +index 0000000000..a6a2ba7adf +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config + +From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 27 May 2020 14:35:43 +0200 +Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles + +--- + rhel8/profiles/ospp.profile | 5 +++++ + tests/data/profile_stability/rhel8/ospp.profile | 3 +++ + tests/data/profile_stability/rhel8/stig.profile | 3 +++ + 3 files changed, 11 insertions(+) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 0dca8350f9..07d32b814d 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -410,3 +410,8 @@ selections: + + # Prevent Kerberos use by system daemons + - kerberos_disable_no_keytab ++ ++ # set ssh client rekey limit ++ - ssh_client_rekey_limit ++ - var_ssh_client_rekey_limit_size=1G ++ - var_ssh_client_rekey_limit_time=1hour +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 25f7922bf3..b0d7672c36 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -240,4 +240,7 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info ++- ssh_client_rekey_limit ++- var_ssh_client_rekey_limit_size=1G ++- var_ssh_client_rekey_limit_time=1hour + title: Protection Profile for General Purpose Operating Systems +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 6c4270925f..330ecc7e1e 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -269,4 +269,7 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info ++- ssh_client_rekey_limit ++- var_ssh_client_rekey_limit_size=1G ++- var_ssh_client_rekey_limit_time=1hour + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' + +From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 28 May 2020 14:25:41 +0200 +Subject: [PATCH 04/11] improve description of variables + +--- + .../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++-- + .../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++--- + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +index bcf051fd97..4e20104cba 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +@@ -2,14 +2,20 @@ documentation_complete: true + + title: 'SSH client RekeyLimit - size' + +-description: 'Specify the size component of the rekey limit.' ++description: |- ++ Specify the size component of the rekey limit. This limit signifies amount ++ of data. After this amount of data is transferred through the connection, ++ the session key is renegotiated. The number is followed by K, M or G for ++ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also ++ configured according to ellabsed time. ++ ++interactive: true + + type: string + + operator: equals + + options: +- ssh_client_default: "default" + default: "512M" + "512M": "512M" + "1G": "1G" +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +index 31c76f9ab5..6143a5448c 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +@@ -1,14 +1,20 @@ + documentation_complete: true + +-title: 'SSH client RekeyLimit - size' ++title: 'SSH client RekeyLimit - time' + +-description: 'Specify the size component of the rekey limit.' ++description: |- ++ Specify the time component of the rekey limit. This limit signifies amount ++ of data. The session key is renegotiated after the defined amount of time ++ passes. The number is followed by units such as H or M for hours or minutes. ++ Note that the RekeyLimit can be also configured according to amount of ++ transfered data. ++ ++interactive: true + + type: string + + operator: equals + + options: +- ssh_client_default: "none" + default: "1h" + "1hour": "1h" + +From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 28 May 2020 14:26:12 +0200 +Subject: [PATCH 05/11] fix tests and ansible + +--- + .../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +- + .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++-- + .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++-- + .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +- + .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++-- + 5 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +index 6d2bcbbd44..bb6544a0a0 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_all [0/453] ++# platform = multi_platform_all + # reboot = false + # strategy = configure + # complexity = low +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +index 2ac0bbf350..22c465b08f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +@@ -1,4 +1,4 @@ + # platform = multi_platform_all + +-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config ++ ++echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +index fec859fe05..0dc621b1da 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +@@ -1,4 +1,4 @@ + # platform = multi_platform_all + +-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config ++ ++echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +index a6cd10163f..f6abf711da 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +@@ -1,3 +1,3 @@ + # platform = multi_platform_all + +-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +index a6a2ba7adf..e64e4191bc 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +@@ -1,4 +1,5 @@ + # platform = multi_platform_all + +-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config ++ ++rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf ++echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf + +From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 1 Jun 2020 14:29:47 +0200 +Subject: [PATCH 06/11] fix test to use default value, remove rule from stig + +--- + .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +- + rhel8/profiles/stig.profile | 1 + + tests/data/profile_stability/rhel8/stig.profile | 1 - + 3 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +index e64e4191bc..89d7069687 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +@@ -2,4 +2,4 @@ + + + rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf +-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf ++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 2bb81cf9dc..8f12852e26 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -44,3 +44,4 @@ selections: + - package_rsyslog-gnutls_installed + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert ++ - "!ssh_client_rekey_limit" +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 330ecc7e1e..9b164eb5c2 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -269,7 +269,6 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info +-- ssh_client_rekey_limit + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' + +From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 3 Jun 2020 12:38:19 +0200 +Subject: [PATCH 07/11] rewrite oval to check for multiple locations + +--- + .../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +index 2412763e3f..41fa0497ae 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +@@ -1,28 +1,17 @@ +-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}} +- + + + + + {{{ rule_title }}} + {{{- oval_affected(products) }}} +- Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' ++ Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf + +- +- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} ++ ++ ++ + + + +- +- +- +- +- +- {{{ filepath }}} +- +- 1 +- +- + + + ^[\s]*RekeyLimit[\s]+ +@@ -35,5 +24,26 @@ + + + +- + ++ ++ ++ ++ ++ ++ ++ /etc/ssh/ssh_config ++ ^[\s]*RekeyLimit.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/ssh/ssh_config\.d/.*\.conf$ ++ ++ 1 ++ ++ ++
+ +From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 4 Jun 2020 08:24:54 +0200 +Subject: [PATCH 08/11] reqrite remediations + +--- + .../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++ + .../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +index bb6544a0a0..36de503806 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +@@ -5,4 +5,20 @@ + # disruption = low + {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} + ++{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}} ++ ++- name: Collect all include config files for ssh client which configure RekeyLimit ++ find: ++ paths: "/etc/ssh/ssh_config.d/" ++ contains: '^[\s]*RekeyLimit.*$' ++ patterns: "*.config" ++ register: ssh_config_include_files ++ ++- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client ++ lineinfile: ++ path: "{{ item }}" ++ regexp: '^[\s]*RekeyLimit.*$' ++ state: "absent" ++ loop: "{{ ssh_config_include_files.files }}" ++ + {{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}} +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +index 43d0971ffc..99f6f63c92 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +@@ -5,4 +5,17 @@ + + {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} + ++main_config="/etc/ssh/ssh_config" ++include_directory="/etc/ssh/ssh_config.d" ++ ++if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then ++ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" ++fi ++ ++for file in "$include_directory"/*.conf; do ++ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then ++ sed -i '/^[\s]*RekeyLimit.*/d' "$file" ++ fi ++done ++ + {{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} + +From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 4 Jun 2020 08:25:14 +0200 +Subject: [PATCH 09/11] add more tests + +--- + .../tests/bad_main_config_good_include_config.fail.sh | 4 ++++ + .../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++ + .../tests/ok_different_config_file.pass.sh | 3 +++ + 3 files changed, 11 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +new file mode 100644 +index 0000000000..90314712af +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/basdh ++ ++echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config ++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh +new file mode 100644 +index 0000000000..9ba20b0290 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++rm -rf /etc/ssh/ssh_config.d/* ++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh +new file mode 100644 +index 0000000000..f725f6936f +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf + +From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 4 Jun 2020 08:25:29 +0200 +Subject: [PATCH 10/11] extend description and ocil + +--- + .../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +index a1b85b0ee5..76f5f84090 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +@@ -10,6 +10,12 @@ description: |- + amount of data that may be transmitted and the time + elapsed. To decrease the default limits, put line + RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. ++ Make sure that there is no other RekeyLimit configuration preceding ++ the include directive in the main config file ++ /etc/ssh/ssh_config. Check also other files in ++ /etc/ssh/ssh_config.d directory. Files are processed according to ++ their names. Make sure that there is no file processed before ++ 02-rekey-limit.conf containing definition of RekeyLimit. + + rationale: |- + By decreasing the limit based on the amount of data and enabling +@@ -27,8 +33,11 @@ references: + ocil_clause: 'it is commented out or is not set' + + ocil: |- +- To check if RekeyLimit is set correctly, run the +- following command: +-
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
+- If configured properly, output should be +-
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
++ To check if RekeyLimit is set correctly, run the following command:
$
++    sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf
If configured ++ properly, output should be
/etc/ssh/ssh_config.d/02-rekey-limit.conf:
++    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
++    sub_var_value("var_ssh_client_rekey_limit_time") }}}
Check also the ++ main configuration file with the following command:
sudo grep
++    RekeyLimit /etc/ssh/ssh_config
The command should not return any ++ output. + +From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 8 Jun 2020 11:44:44 +0200 +Subject: [PATCH 11/11] fix typos and wording + +--- + .../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++-- + .../tests/bad_main_config_good_include_config.fail.sh | 2 +- + .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 + + .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 + + .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 + + .../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 + + .../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +- + .../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++----- + 8 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +index 76f5f84090..b054d9d221 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +@@ -14,8 +14,9 @@ description: |- + the include directive in the main config file + /etc/ssh/ssh_config. Check also other files in + /etc/ssh/ssh_config.d directory. Files are processed according to +- their names. Make sure that there is no file processed before +- 02-rekey-limit.conf containing definition of RekeyLimit. ++ lexicographical order of file names. Make sure that there is no file ++ processed before 02-rekey-limit.conf containing definition of ++ RekeyLimit. + + rationale: |- + By decreasing the limit based on the amount of data and enabling +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +index 90314712af..58befb0107 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +@@ -1,4 +1,4 @@ +-#!/bin/basdh ++#!/bin/bash + + echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config + echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +index 22c465b08f..1803c26629 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = multi_platform_all + + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +index 0dc621b1da..2c9e839255 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = multi_platform_all + + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +index f6abf711da..7de108eafd 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = multi_platform_all + + echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +index 89d7069687..4c047ed179 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = multi_platform_all + + +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +index 4e20104cba..c8dd8ef10e 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +@@ -7,7 +7,7 @@ description: |- + of data. After this amount of data is transferred through the connection, + the session key is renegotiated. The number is followed by K, M or G for + kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also +- configured according to ellabsed time. ++ configured according to elapsed time. + + interactive: true + +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +index 6143a5448c..6223e8e38f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +@@ -3,11 +3,10 @@ documentation_complete: true + title: 'SSH client RekeyLimit - time' + + description: |- +- Specify the time component of the rekey limit. This limit signifies amount +- of data. The session key is renegotiated after the defined amount of time +- passes. The number is followed by units such as H or M for hours or minutes. +- Note that the RekeyLimit can be also configured according to amount of +- transfered data. ++ Specify the time component of the rekey limit. The session key is ++ renegotiated after the defined amount of time passes. The number is followed ++ by units such as H or M for hours or minutes. Note that the RekeyLimit can ++ be also configured according to amount of transfered data. + + interactive: true + diff --git a/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch b/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch new file mode 100644 index 0000000..d80f19e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch @@ -0,0 +1,65 @@ +From 713bc3b17929d0c73b7898f42fe7935806a3bfff Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Tue, 16 Jun 2020 16:04:10 -0600 +Subject: [PATCH] Remove grub documentation links from RHEL7 rationale + +--- + .../system/bootloader-grub2/grub2_admin_username/rule.yml | 7 ------- + .../guide/system/bootloader-grub2/grub2_password/rule.yml | 7 ------- + .../system/bootloader-grub2/grub2_uefi_password/rule.yml | 7 ------- + 3 files changed, 21 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml +index 2042a17806..63a6a7a83c 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml +@@ -24,13 +24,6 @@ description: |- + + rationale: |- + Having a non-default grub superuser username makes password-guessing attacks less effective. +- {{% if product == "rhel7" %}} +- For more information on how to configure the grub2 superuser account and password, +- please refer to +-
    +-
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}
  • . +-
+- {{% endif %}} + + severity: low + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml +index 00cec58c77..985b8727d7 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml +@@ -23,13 +23,6 @@ rationale: |- + users with physical access cannot trivially alter + important bootloader settings. These include which kernel to use, + and whether to enter single-user mode. +- {{% if product == "rhel7" %}} +- For more information on how to configure the grub2 superuser account and password, +- please refer to +-
    +-
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}
  • . +-
+- {{% endif %}} + + severity: high + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +index 954d6f21d0..3ce5a2df13 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +@@ -23,13 +23,6 @@ rationale: |- + users with physical access cannot trivially alter + important bootloader settings. These include which kernel to use, + and whether to enter single-user mode. +- {{% if product == "rhel7" %}} +- For more information on how to configure the grub2 superuser account and password, +- please refer to +-
    +-
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}
  • . +-
+- {{% endif %}} + + severity: medium + diff --git a/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch new file mode 100644 index 0000000..4b69221 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch @@ -0,0 +1,1216 @@ +From 29eb0f64454f275085015b481a59184e73ebe7f6 Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Sun, 29 Mar 2020 00:58:02 -0400 +Subject: [PATCH 01/20] update CIS RHEL8 profile + +--- + .../service_crond_enabled/rule.yml | 2 +- + .../r_services/no_rsh_trust_files/rule.yml | 8 +- + .../rule.yml | 2 +- + .../account_unique_name/rule.yml | 11 +- + .../accounts_maximum_age_login_defs/rule.yml | 2 +- + .../accounts_minimum_age_login_defs/rule.yml | 1 + + .../rule.yml | 1 + + .../var_accounts_maximum_age_login_defs.var | 1 + + .../password_storage/no_netrc_files/rule.yml | 4 +- + .../accounts_no_uid_except_zero/rule.yml | 2 +- + .../no_direct_root_logins/rule.yml | 2 +- + .../rule.yml | 1 + + .../accounts-session/accounts_tmout/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_home_dirs/rule.yml | 4 +- + .../rsyslog_files_permissions/rule.yml | 2 +- + .../ensure_logrotate_activated/rule.yml | 1 + + .../package_rsyslog_installed/rule.yml | 2 +- + .../rsyslog_nolisten/rule.yml | 2 + + .../rsyslog_remote_loghost/rule.yml | 4 +- + .../logging/service_rsyslog_enabled/rule.yml | 2 +- + rhel8/profiles/cis.profile | 141 ++++++++++++------ + shared/references/cce-redhat-avail.txt | 2 - + 24 files changed, 137 insertions(+), 63 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +index a1f82cf5c9..09d1a92a55 100644 +--- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml +@@ -24,7 +24,7 @@ identifiers: + references: + stigid@rhel6: "000224" + srg@rhel6: SRG-OS-999999 +- cis: 5.1.1 ++ cis@rhel8: 5.1.1 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) + nist: CM-6(a) + nist-csf: PR.IP-1,PR.PT-3 +diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +index 2ccf4127b7..ec2fa6c012 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml +@@ -12,9 +12,9 @@ description: |- +
$ rm ~/.rhosts
+ + rationale: |- +- Trust files are convenient, but when +- used in conjunction with the R-services, they can allow +- unauthenticated access to a system. ++ This action is only meaningful if .rhosts support is permitted ++ through PAM. Trust files are convenient, but when used in conjunction with ++ the R-services, they can allow unauthenticated access to a system. + + severity: high + +@@ -26,7 +26,7 @@ identifiers: + references: + stigid@rhel6: "000019" + srg@rhel6: SRG-OS-000248 +- cis: 6.2.14 ++ cis@rhel8: 6.2.13 + disa: "1436" + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) + nist: CM-7(a),CM-7(b),CM-6(a) +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +index fff30d70c7..7a1538392a 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +@@ -43,7 +43,7 @@ references: + stigid@rhel6: "000062" + srg@rhel6: SRG-OS-000120 + disa@rhel6: '803' +- cis: 6.3.1 ++ cis@rhel8: 5.4.4 + cjis: 5.6.2.2 + cui: 3.13.11 + disa: "196" +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +index 2cdafc0609..35652a410b 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +@@ -2,9 +2,15 @@ documentation_complete: true + + title: 'Ensure All Accounts on the System Have Unique Names' + +-description: 'Change usernames, or delete accounts, so each has a unique name.' ++description: |- ++ Although the useradd utility prevents creation of duplicate user ++ names, it is possible for a malicious administrator to manually edit the ++ /etc/passwd file and change the user name. + +-rationale: 'Unique usernames allow for accountability on the system.' ++rationale: |- ++ If a user is assigned a duplicate user name, the new user will be able to ++ create and have access to files with the first UID for that username as ++ defined in /etc/passwd. + + severity: medium + +@@ -19,6 +25,7 @@ references: + cjis: 5.5.2 + disa: 770,804 + pcidss: Req-8.1.1 ++ cis@rhel8: 6.2.17 + + ocil_clause: 'a line is returned' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +index af1ea13d8f..c2c4aa11bc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +@@ -34,7 +34,7 @@ references: + stigid@rhel6: "000053" + srg@rhel6: SRG-OS-000076 + disa@rhel6: '180' +- cis: 5.4.1.1 ++ cis@rhel8: 5.5.1.1 + cjis: 5.6.2.1 + cui: 3.5.6 + disa: "199" +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +index 2de12efb3e..6147d672a4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +@@ -44,6 +44,7 @@ references: + cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ cis@rhel8: 5.5.1.2 + + ocil_clause: 'it is not equal to or greater than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +index 3a5c00708d..2a1005bd20 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +@@ -33,6 +33,7 @@ references: + cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 ++ cis@rhel8: 5.5.1.3 + + ocil_clause: 'it is not set to the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var +index 731f8f475f..11eb238c5d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var +@@ -9,6 +9,7 @@ type: number + interactive: false + + options: ++ 365: 365 + 120: 120 + 180: 180 + 60: 60 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +index 01454a7274..8547893201 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +@@ -11,8 +11,7 @@ description: |- + + rationale: |- + Unencrypted passwords for remote FTP servers may be stored in .netrc +- files. DoD policy requires passwords be encrypted in storage and not used +- in access scripts. ++ files. + + severity: medium + +@@ -24,6 +23,7 @@ identifiers: + references: + stigid@rhel6: "000347" + srg@rhel6: SRG-OS-000073 ++ cis@rhel8: 6.2.11 + disa: "196" + nist: IA-5(h),IA-5(1)(c),CM-6(a),IA-5(7) + nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +index 0b61daf925..14f9140687 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +@@ -31,7 +31,7 @@ references: + stigid@ol7: "020310" + stigid@rhel6: "000032" + srg@rhel6: SRG-OS-999999 +- cis: 6.2.5 ++ cis@rhel8: 6.2.6 + cui: 3.1.1,3.1.5 + disa: "366" + nist: IA-2,AC-6(5),IA-4(b) +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +index 1d08bde4d9..9e00f3aad6 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml +@@ -33,7 +33,7 @@ identifiers: + cce@ocp4: 82698-2 + + references: +- cis: "5.5" ++ cis@rhel8: "5.6" + cui: 3.1.1,3.1.6 + hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) + nist: IA-2,CM-6(a) +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +index ae8ba133b7..0c26ac3240 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml +@@ -35,6 +35,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ cis@rhel8: "5.6" + srg: SRG-OS-000324-GPOS-00125 + + ocil_clause: 'root login over virtual console devices is permitted' +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +index 787f2264de..f09006b72b 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ cis@rhel8: 5.5.3 + anssi: NT28(R29) + + ocil_clause: 'value of TMOUT is not less than or equal to expected setting' +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index e7e9a751a4..bedf3a0b19 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -27,6 +27,7 @@ references: + disa: "366" + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: "020620" ++ cis@rhel8: 6.2.20 + + ocil_clause: 'users home directory does not exist' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index d58884235e..1c5ac8d099 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -26,6 +26,7 @@ references: + disa: "366" + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: "020650" ++ cis@rhel8: 6.2.8 + + ocil_clause: 'the group ownership is incorrect' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml +index 8812f9d123..27c190b5b1 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml +@@ -22,11 +22,12 @@ rationale: |- + to one another's home directories, this can be provided using + groups or ACLs. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel6: 26981-1 + cce@rhel7: 80201-7 ++ cce@rhel8: 84274-0 + + references: + disa: "225" +@@ -37,6 +38,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ cis@rhel8: 6.2.7 + + ocil_clause: 'the user home directory is group-writable or world-readable' + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +index 4c1e69020b..aa6e0905ae 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +@@ -31,7 +31,7 @@ references: + anssi: NT28(R36) + stigid@rhel6: "000135" + srg@rhel6: SRG-OS-000206 +- cis: 4.2.1.3 ++ cis@rhel8: 4.2.1.3 + disa: "1314" + nist: CM-6(a),AC-6(1) + pcidss: Req-10.5.1,Req-10.5.2 +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +index def9566692..2c41a3b9ef 100644 +--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +@@ -35,6 +35,7 @@ references: + cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 + cis-csc: 1,14,15,16,3,5,6 ++ cis@rhel8: 4.3 + anssi: NT28(R43),NT12(R18) + + ocil_clause: 'logrotate is not configured to run daily' +diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +index 9f00dd9704..00fecf8a3c 100644 +--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml ++++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +@@ -18,7 +18,7 @@ identifiers: + references: + cis@debian8: 5.1.1 + anssi: NT28(R5),NT28(R46) +- cis: 4.2.3 ++ cis@rhel8: 4.2.1.1 + disa: 1311,1312 + hipaa: 164.312(a)(2)(ii) + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +index 8a5a15e1da..14e729252c 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel6: 26803-7 + cce@rhel7: 80192-8 ++ cce@rhel8: 84275-7 + + references: + stigid@ol7: "031010" +@@ -39,3 +40,4 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 + stigid@rhel7: "031010" ++ cis@rhel8: 4.2.1.6 +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index 7b70b0c186..da28b99561 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -46,8 +46,8 @@ references: + anssi: NT28(R7),NT28(R43),NT12(R5) + stigid@rhel6: "000136" + srg@rhel6: SRG-OS-000043,SRG-OS-000215 +- cis: 4.2.1.4 +- disa: 136,366,1348,1851 ++ cis@rhel8: 4.2.1.5 ++ disa: 366,1348,136,1851 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii) + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.17.2.1 + nist: CM-6(a),AU-4(1),AU-9(2) +diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +index ce8347c686..92fd6bc4d8 100644 +--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml ++++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +@@ -20,7 +20,7 @@ identifiers: + references: + cis@debian8: 5.1.2 + anssi: NT28(R5),NT28(R46) +- cis: 4.2.1.1 ++ cis@rhel8: 4.2.1.2 + disa: 1311,1312,1557,1851 + hipaa: 164.312(a)(2)(ii) + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2,A.17.2.1 +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index cc0c2a5b9a..528f17d696 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -602,87 +602,88 @@ selections: + + ### 4.1.9 Ensure discretionary access control permission modification + ### events are collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509 + + ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are + ### collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510 + + ### 4.1.11 Ensure events that modify user/group information are + ### collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511 + + ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 + + ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 + + ### 4.1.14 Ensure file deletion events by users are collected + ### (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514 + + ### 4.1.15 Ensure kernel module loading and unloading is collected + ### (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515 + + ### 4.1.16 Ensure system administrator actions (sudolog) are + ### collected (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 + + ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517 + + ## 4.2 Configure Logging + + ### 4.2.1 Configure rsyslog + + #### 4.2.1.1 Ensure rsyslog is installed (Scored) +- ++ - package_rsyslog_installed + + #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) +- ++ - service_rsyslog_enabled + + #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +- ++ - rsyslog_files_permissions + + #### 4.2.1.4 Ensure logging is configured (Not Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 + + #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote + #### log host (Scored) +- ++ - rsyslog_remote_loghost + + #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on + #### designated log hosts (Not Scored) +- ++ - rsyslog_nolisten + + ### 4.2.2 Configure journald + + #### 4.2.2.1 Ensure journald is configured to send logs to + #### rsyslog (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 + + #### 4.2.2.2 Ensure journald is configured to compress large + #### log files (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 + + + #### 4.2.2.3 Ensure journald is configured to write logfiles to + #### persistent disk (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 + + ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 + + ## 4.3 Ensure logrotate is conifgured (Not Scored) +- ++ - ensure_logrotate_activated + + # 5 Access, Authentication and Authorization + + ## 5.1 Configure cron + +- + ### 5.1.1 Ensure cron daemon is enabled (Scored) ++ - service_crond_enabled + + + ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +@@ -790,19 +791,19 @@ selections: + + ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute + ### or less (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 + + ### 5.2.15 Ensure SSH warning banner is configured (Scored) + - sshd_enable_warning_banner + + ### 5.2.16 Ensure SSH PAM is enabled (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 + + ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) + - sshd_disable_tcp_forwarding + + ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 + + ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) + - sshd_set_max_sessions +@@ -815,69 +816,75 @@ selections: + + + ### 5.3.1 Create custom authselectet profile (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 + + ### 5.3.2 Select authselect profile (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 + + ### 5.3.3 Ensure authselect includes with-faillock (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 + + ## 5.4 Configure PAM + + ### 5.4.1 Ensure password creation requirements are configured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533 + + ### 5.4.2 Ensure lockout for failed password attempts is + ### configured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534 + + ### 5.4.3 Ensure password reuse is limited (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 + + ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) +- ++ - set_password_hashing_algorithm_systemauth + + ## 5.5 User Accounts and Environment + + ### 5.5.1 Set Shadow Password Suite Parameters + + #### 5.5.1 Ensure password expiration is 365 days or less (Scored) +- ++ - var_accounts_maximum_age_login_defs=365 ++ - accounts_maximum_age_login_defs + + #### 5.5.1.2 Ensure minimum days between password changes is 7 + #### or more (Scored) +- ++ - var_accounts_minimum_age_login_defs=7 ++ - accounts_minimum_age_login_defs + + #### 5.5.1.3 Ensure password expiration warning days is + #### 7 or more (Scored) +- ++ - var_accounts_password_warn_age_login_defs=7 ++ - accounts_password_warn_age_login_defs + + #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536 + + #### 5.5.1.5 Ensure all users last password change date is + #### in the past (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 + + ### 5.5.2 Ensure system accounts are secured (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538 + + ### 5.5.3 Ensure default user shell timeout is 900 seconds + ### or less (Scored) +- ++ - var_accounts_tmout=15_min ++ - accounts_tmout + + ### 5.5.4 Ensure default group for the root account is + ### GID 0 (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 + + ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540 + + ## 5.6 Ensure root login is restricted to system console (Not Scored) +- ++ - securetty_root_login_console_only ++ - no_direct_root_logins + + ## 5.7 Ensure access to the su command is restricted (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 + + # System Maintenance + +@@ -971,8 +978,58 @@ selections: + ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) + - no_legacy_plus_entries_etc_passwd + +- ## 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) ++ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) + - no_legacy_plus_entries_etc_shadow + +- ###6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) ++ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) + - no_legacy_plus_entries_etc_group ++ ++ ### 6.2.6 Ensure root is the only UID 0 account (Scored) ++ - accounts_no_uid_except_zero ++ ++ ### 6.2.7 Ensure users' home directories permissions are 750 ++ ### or more restrictive (Scored) ++ - file_permissions_home_dirs ++ ++ ### 6.2.8 Ensure users own their home directories (Scored) ++ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 ++ - file_groupownership_home_directories ++ ++ ### 6.2.9 Ensure users' dot files are not group or world ++ ### writable (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 ++ ++ ### 6.2.10 Ensure no users have .forward files (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 ++ ++ ### 6.2.11 Ensure no users have .netrc files (Scored) ++ - no_netrc_files ++ ++ ### 6.2.12 Ensure users' .netrc Files are not group or ++ ### world accessible (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 ++ ++ ### 6.2.13 Ensure no users have .rhosts files (Scored) ++ - no_rsh_trust_files ++ ++ ### 6.2.14 Ensure all groups in /etc/passwd exist in ++ ### /etc/group (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 ++ ++ ### 6.2.15 Ensure no duplicate UIDs exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 ++ ++ ### 6.2.16 Ensure no duplicate GIDs exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 ++ ++ ### 6.2.17 Ensure no duplicate user names exist (Scored) ++ - account_unique_name ++ ++ ### 6.2.18 Ensure no duplicate group names exist (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 ++ ++ ### 6.2.19 Ensure shadow group is empty (Scored) ++ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 ++ ++ ### 6.2.20 Ensure all users' home directories exist (Scored) ++ - accounts_user_interactive_home_directory_exists +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index feb31b0395..9e7bd35178 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -901,8 +901,6 @@ CCE-84270-8 + CCE-84271-6 + CCE-84272-4 + CCE-84273-2 +-CCE-84274-0 +-CCE-84275-7 + CCE-84276-5 + CCE-84277-3 + CCE-84278-1 + +From c8a19c84dad5165ece50f6148646f9bbc8c4c3fd Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Sat, 25 Apr 2020 18:52:21 -0400 +Subject: [PATCH 02/20] misc cis8 updates + +--- + .../accounts_users_home_files_ownership/rule.yml | 1 + + .../logging/log_rotation/ensure_logrotate_activated/rule.yml | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +index a9c73e46ac..8e225cdc64 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +@@ -24,6 +24,7 @@ references: + stigid@ol7: "020660" + disa: "366" + srg: SRG-OS-000480-GPOS-00227 ++ cis@rhel8: 6.2.8 + stigid@rhel7: "020660" + + ocil_clause: 'the user ownership is incorrect' +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +index 2c41a3b9ef..6e569edfa9 100644 +--- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +@@ -35,7 +35,7 @@ references: + cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 + cis-csc: 1,14,15,16,3,5,6 +- cis@rhel8: 4.3 ++ cis@rhel8: "4.3" + anssi: NT28(R43),NT12(R18) + + ocil_clause: 'logrotate is not configured to run daily' + +From f8d80a55f0cd6bf3b9bf5b75ba037466b7fc89c8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 22:32:44 +0200 +Subject: [PATCH 03/20] Add auxiliary rule for dconf settings + +--- + rhel8/profiles/cis.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 528f17d696..202db7f693 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -8,6 +8,8 @@ description: |- + 09-30-2019. + + selections: ++ # Necessary for dconf rules ++ - dconf_db_up_to_date + + ### Partitioning + - mount_option_home_nodev + +From 865fe310e82a1eb0fc0c37c8de253dc7171abae7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 22:43:20 +0200 +Subject: [PATCH 04/20] Update time synchonization rule selections + +In RHEL8, only chrony is available +--- + rhel8/profiles/cis.profile | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 202db7f693..762d4a04e3 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -256,10 +256,12 @@ selections: + ### 2.2.1 Time Synchronization + + #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) +- - service_chronyd_or_ntpd_enabled ++ - package_chrony_installed + + #### 2.2.1.2 Ensure chrony is configured (Scored) +- - chronyd_or_ntpd_specify_remote_server ++ - service_chronyd_enabled ++ - chronyd_specify_remote_server ++ - chronyd_run_as_chrony_user + + ### 2.2.2 Ensure X Window System is not installed (Scored) + - package_xorg-x11-server-common_removed + +From a515b26c5af850dbc7917807397668df8a076249 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 22:49:55 +0200 +Subject: [PATCH 05/20] Select sysctl rules for secure ICMp redirects + +Fixes: #5234 +Fixes: #5235 +--- + rhel8/profiles/cis.profile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 762d4a04e3..3a8e19259b 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -371,14 +371,14 @@ selections: + - sysctl_net_ipv6_conf_all_accept_redirects + + #### net.ipv6.conf.defaults.accept_redirects = 0 +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5234 ++ - sysctl_net_ipv6_conf_default_accept_redirects + + ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) + #### net.ipv4.conf.all.secure_redirects = 0 + - sysctl_net_ipv4_conf_all_secure_redirects + + #### net.ipv4.cof.default.secure_redirects = 0 +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5235 ++ - sysctl_net_ipv4_conf_default_secure_redirects + + ### 3.2.4 Ensure suspicious packets are logged (Scored) + #### net.ipv4.conf.all.log_martians = 1 + +From d14ce8e0ab8c39282883520bb141919af379d0fa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:02:09 +0200 +Subject: [PATCH 06/20] Select Audit DAC rules for RHEL8 CIS + +Fixes: #5509 +--- + rhel8/profiles/cis.profile | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 3a8e19259b..a990de4565 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -606,7 +606,19 @@ selections: + + ### 4.1.9 Ensure discretionary access control permission modification + ### events are collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509 ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_fremovexattr + + ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are + ### collected (Scored) + +From aec372e7bd05b3ed470f188952dbf11a6ae123ad Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:07:34 +0200 +Subject: [PATCH 07/20] Select rules for unsuccessful modification + +Fixes: #5510 +--- + rhel8/profiles/cis.profile | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index a990de4565..db54d9ece5 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -622,7 +622,13 @@ selections: + + ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are + ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510 ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ # Opinionated selection ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at + + ### 4.1.11 Ensure events that modify user/group information are + ### collected (Scored) + +From 69493775c8a5b140f55802f7dca84c659662039c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:10:45 +0200 +Subject: [PATCH 08/20] Select rules for user/group modification + +Fixes: #5511 +--- + rhel8/profiles/cis.profile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index db54d9ece5..f8ec16b9a8 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -632,7 +632,11 @@ selections: + + ### 4.1.11 Ensure events that modify user/group information are + ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511 ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_opasswd + + ### 4.1.12 Ensure successful file system mounts are collected (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 + +From 86c35876312882a861d253e13d31ff5bfc32630b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:12:58 +0200 +Subject: [PATCH 09/20] Audit successful system mounts + +Fixes: #5512 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index f8ec16b9a8..e4f5313e3e 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -639,7 +639,7 @@ selections: + - audit_rules_usergroup_modification_opasswd + + ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 ++ - audit_rules_media_export + + ### 4.1.13 Ensure use of privileged commands is collected (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 + +From ea7ef606c881fdddecfef036383fbd0718950162 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:14:21 +0200 +Subject: [PATCH 10/20] Audit privileged commands + +Fixes: #5513 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index e4f5313e3e..087dd79bb5 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -642,7 +642,7 @@ selections: + - audit_rules_media_export + + ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 ++ - audit_rules_privileged_commands + + ### 4.1.14 Ensure file deletion events by users are collected + ### (Scored) + +From 16d84540566c8fa6d9f6880f3f1fe04edf97b822 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:15:49 +0200 +Subject: [PATCH 11/20] Audit file deletion events + +Fixes: #5514 +--- + rhel8/profiles/cis.profile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 087dd79bb5..ca42f24190 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -646,7 +646,12 @@ selections: + + ### 4.1.14 Ensure file deletion events by users are collected + ### (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514 ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ # Opinionated selection ++ - audit_rules_file_deletion_events_rmdir + + ### 4.1.15 Ensure kernel module loading and unloading is collected + ### (Scored) + +From 8377e1d574a9d0388c0847177f11afe83af3a30f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:16:33 +0200 +Subject: [PATCH 12/20] Audit kernel module loads + +Fixes: #5515 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index ca42f24190..5e214941ec 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -655,7 +655,7 @@ selections: + + ### 4.1.15 Ensure kernel module loading and unloading is collected + ### (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515 ++ - audit_rules_kernel_module_loading + + ### 4.1.16 Ensure system administrator actions (sudolog) are + ### collected (Scored) + +From 7d62c009987be550d074f8e7cacd2e843d1e3061 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:17:52 +0200 +Subject: [PATCH 13/20] Audit rules should be immutable + +Fixes: #5517 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 5e214941ec..a0fdd69869 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -662,7 +662,7 @@ selections: + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 + + ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517 ++ - audit_rules_immutable + + ## 4.2 Configure Logging + + +From 02e2a9744bd9eb969b46b18d4824fae65d5764f3 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:31:10 +0200 +Subject: [PATCH 14/20] Select rules for password requirements + +Related to: #5533 +--- + rhel8/profiles/cis.profile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index a0fdd69869..a55c3291a9 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -858,7 +858,12 @@ selections: + ## 5.4 Configure PAM + + ### 5.4.1 Ensure password creation requirements are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533 ++ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 ++ - accounts_password_pam_retry ++ - var_password_pam_minlen=14 ++ - accounts_password_pam_minlen ++ - var_password_pam_minclass=4 ++ - accounts_password_pam_minclass + + ### 5.4.2 Ensure lockout for failed password attempts is + ### configured (Scored) + +From bec97effc13e0056cbcdc939620e78669558f9a4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:35:50 +0200 +Subject: [PATCH 15/20] Configure password lockout + +Fixes: #5534 +--- + rhel8/profiles/cis.profile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index a55c3291a9..6e10c2efcb 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -867,7 +867,10 @@ selections: + + ### 5.4.2 Ensure lockout for failed password attempts is + ### configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534 ++ - var_accounts_passwords_pam_faillock_unlock_time=900 ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_deny + + ### 5.4.3 Ensure password reuse is limited (Scored) + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 + +From 73a087ed0b13bb73f1e60792c4d2e3c3aa944cd9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:38:58 +0200 +Subject: [PATCH 16/20] Configure password reuse + +Fixes: #5535 +--- + rhel8/profiles/cis.profile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 6e10c2efcb..2fa85d8676 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -873,7 +873,8 @@ selections: + - accounts_passwords_pam_faillock_deny + + ### 5.4.3 Ensure password reuse is limited (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 ++ - var_password_pam_unix_remember=5 ++ - accounts_password_pam_unix_remember + + ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) + - set_password_hashing_algorithm_systemauth + +From 4307123e1889359b1c444d55a9b221bc5b3f7970 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:43:04 +0200 +Subject: [PATCH 17/20] Select rule to check useradd INACTIVE setting + +Related to: #5536 +--- + rhel8/profiles/cis.profile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 2fa85d8676..e0fd5e1492 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -898,7 +898,10 @@ selections: + - accounts_password_warn_age_login_defs + + #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536 ++ # TODO: Rule doesn't check list of users ++ # https://github.com/ComplianceAsCode/content/issues/5536 ++ - var_account_disable_post_pw_expiration=30 ++ - account_disable_post_pw_expiration + + #### 5.5.1.5 Ensure all users last password change date is + #### in the past (Scored) + +From 07752fbac033400946c29fe6cbfe553913e4a96c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:46:48 +0200 +Subject: [PATCH 18/20] No shelllogin for system accounts + +Fixes: #5538 +--- + rhel8/profiles/cis.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index e0fd5e1492..0431fb0d45 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -908,7 +908,7 @@ selections: + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 + + ### 5.5.2 Ensure system accounts are secured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538 ++ - no_shelllogin_for_systemaccounts + + ### 5.5.3 Ensure default user shell timeout is 900 seconds + ### or less (Scored) + +From e46c2cfb8541f559b234df9a8a478494db46e785 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 23:54:07 +0200 +Subject: [PATCH 19/20] Partially cover umask requirements + +Related to: #5540 +--- + rhel8/profiles/cis.profile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 0431fb0d45..f332ee5462 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -920,7 +920,9 @@ selections: + # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 + + ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540 ++ - var_accounts_user_umask=027 ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_profile + + ## 5.6 Ensure root login is restricted to system console (Not Scored) + - securetty_root_login_console_only + +From 586cedfb95523acbe0c0c92953851d6536c29230 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 22:31:16 +0200 +Subject: [PATCH 20/20] account_unique_name: Improve description, rationale and + OCIL + +--- + .../account_unique_name/rule.yml | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +index 35652a410b..909f1b6657 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml +@@ -3,14 +3,13 @@ documentation_complete: true + title: 'Ensure All Accounts on the System Have Unique Names' + + description: |- +- Although the useradd utility prevents creation of duplicate user +- names, it is possible for a malicious administrator to manually edit the +- /etc/passwd file and change the user name. ++ Ensure accounts on the system have unique names. + +-rationale: |- +- If a user is assigned a duplicate user name, the new user will be able to +- create and have access to files with the first UID for that username as +- defined in /etc/passwd. ++ To ensure all accounts have unique names, run the following command: ++
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
++ If a username is returned, change or delete the username. ++ ++rationale: 'Unique usernames allow for accountability on the system.' + + severity: medium + +@@ -30,6 +29,6 @@ references: + ocil_clause: 'a line is returned' + + ocil: |- +- Run the following command to check for duplicate account names: +-
$ sudo pwck -qr
+- If there are no duplicate names, no line will be returned. ++ To verify all accounts have unique names, run the following command: ++
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
++ No output should be returned. diff --git a/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch b/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch new file mode 100644 index 0000000..801edff --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch @@ -0,0 +1,43 @@ +From 5a5b3bdead44bd24fb138bd7b9785d4e0809ff4b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Jul 2020 13:22:58 +0200 +Subject: [PATCH 1/2] update wording for rhel7 profile + +--- + rhel7/profiles/hipaa.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile +index 4310561323..000441de52 100644 +--- a/rhel7/profiles/hipaa.profile ++++ b/rhel7/profiles/hipaa.profile +@@ -12,6 +12,7 @@ description: |- + + This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security + Rule identified for securing of electronic protected health information. ++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + + selections: + - grub2_password + +From 0c5cc87c4f8aaed8eb199b77440ae0dc64658e4a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Jul 2020 13:23:18 +0200 +Subject: [PATCH 2/2] update wording for rhel8 profile + +--- + rhel8/profiles/hipaa.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index 8d20f9019c..0cb7fbed1f 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -12,6 +12,7 @@ description: |- + + This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security + Rule identified for securing of electronic protected health information. ++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + + selections: + - grub2_password diff --git a/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch b/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch new file mode 100644 index 0000000..36b46ee --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch @@ -0,0 +1,52 @@ +From 4c54b1cfb05961bde8248e03d27cabeca967e211 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 17 Aug 2020 10:59:15 +0200 +Subject: [PATCH] Remove SCAP-1.3 SCAPVAL workarounds + +These changes to the DS cause SRC-330 to fail in SCAPVAL-1.3.5. +In SCAPVAL-1.3.5 was fixed and these false positive workarounds are not +necessary anymore. +--- + tests/run_scapval.py | 26 -------------------------- + 1 file changed, 26 deletions(-) + +diff --git a/tests/run_scapval.py b/tests/run_scapval.py +index e1dd806ca1..bc2655b9fd 100755 +--- a/tests/run_scapval.py ++++ b/tests/run_scapval.py +@@ -46,35 +46,9 @@ def process_results(result_path): + return ret_val + + +-def workaround_datastream(datastream_path): +- tree = ET.parse(datastream_path) +- root = tree.getroot() +- # group_id and user_id cannot be zero +- # tracked at https://github.com/OVAL-Community/OVAL/issues/23 +- for group_id_element in root.findall(".//{%s}group_id" % oval_unix_ns): +- if group_id_element.text is not None: +- group_id_element.text = "-1" +- for user_id_element in root.findall(".//{%s}user_id" % oval_unix_ns): +- if user_id_element.text is not None: +- user_id_element.text = "-1" +- # OCIL checks for security_patches_up_to_date is causing fail +- # of SRC-377, when requirement is about OVAL checks. +- rule_id = "xccdf_org.ssgproject.content_rule_security_patches_up_to_date" +- for rule in root.findall(".//{%s}Rule[@id=\"%s\"]" % (xccdf_ns, rule_id)): +- for check in rule.findall("{%s}check" % xccdf_ns): +- system = check.get("system") +- if system == "http://scap.nist.gov/schema/ocil/2": +- rule.remove(check) +- output_path = datastream_path + ".workaround.xml" +- tree.write(output_path) +- return output_path +- +- + def test_datastream(datastream_path, scapval_path, scap_version): + result_path = datastream_path + ".result.xml" + report_path = datastream_path + ".report.html" +- if scap_version == "1.3": +- datastream_path = workaround_datastream(datastream_path) + scapval_command = [ + "java", + "-Xmx1024m", diff --git a/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch b/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch new file mode 100644 index 0000000..4f0e114 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch @@ -0,0 +1,408 @@ +From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 8 Jul 2020 17:37:50 +0200 +Subject: [PATCH 1/9] create rule, check, bash remediation + +--- + .../bash/shared.sh | 9 +++++ + .../oval/shared.xml | 1 + + .../harden_openssl_crypto_policy/rule.yml | 33 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 -- + 4 files changed, 43 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +new file mode 100644 +index 0000000000..9838a13c95 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora ++ ++cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" ++file=/etc/crypto-policies/local.d/opensslcnf-ospp.config ++ ++#blank line at the begining to ease later readibility ++echo '' > "$file" ++echo "$cp" >> "$file" ++update-crypto-policies +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +new file mode 100644 +index 0000000000..09199ce4da +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +@@ -0,0 +1 @@ ++{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}} +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +new file mode 100644 +index 0000000000..afbdb36a23 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Harden OpenSSL Crypto Policy' ++ ++description: |- ++ Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. ++ OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact. ++ This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. ++ Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. ++ ++rationale: |- ++ The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 84286-4 ++ ++references: ++ nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) ++ ospp : FCS_SSHS_EXT.1 ++ srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061 ++ ++ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' ++ ++ocil: |- ++ To verify if the OpenSSL uses defined Crypto Policy, run: ++
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
++ and verify that the line matches ++
84285-6
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index afc0d80417..01b321b6d5 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -904,8 +904,6 @@ CCE-84281-5 + CCE-84282-3 + CCE-84283-1 + CCE-84284-9 +-CCE-84285-6 +-CCE-84286-4 + CCE-84287-2 + CCE-84288-0 + CCE-84289-8 + +From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 8 Jul 2020 17:38:32 +0200 +Subject: [PATCH 2/9] add tests + +--- + .../harden_openssl_crypto_policy/tests/correct.pass.sh | 7 +++++++ + .../tests/correct_commented.fail.sh | 7 +++++++ + .../tests/correct_followed_by_incorrect.fail.sh | 8 ++++++++ + .../tests/empty_policy.fail.sh | 7 +++++++ + .../tests/incorrect_followed_by_correct.pass.sh | 8 ++++++++ + .../tests/incorrect_policy.fail.sh | 7 +++++++ + .../tests/missing_file.fail.sh | 7 +++++++ + 7 files changed, 51 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh +new file mode 100644 +index 0000000000..9e59b30bd2 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh +new file mode 100644 +index 0000000000..91863849b3 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh +new file mode 100644 +index 0000000000..f44957d3e1 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh +new file mode 100644 +index 0000000000..5b14fe8ef4 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites=" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh +new file mode 100644 +index 0000000000..6be3bb2ffa +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile" ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh +new file mode 100644 +index 0000000000..b4fd0f97be +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh +new file mode 100644 +index 0000000000..2d11d227cb +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++rm -f "$configfile" + +From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 9 Jul 2020 09:05:38 +0200 +Subject: [PATCH 3/9] remove blank line from remediation + +--- + .../crypto/harden_openssl_crypto_policy/bash/shared.sh | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +index 9838a13c95..be6f84f83d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +@@ -3,7 +3,6 @@ + cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" + file=/etc/crypto-policies/local.d/opensslcnf-ospp.config + +-#blank line at the begining to ease later readibility +-echo '' > "$file" ++ + echo "$cp" >> "$file" + update-crypto-policies + +From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 9 Jul 2020 09:06:02 +0200 +Subject: [PATCH 4/9] fix separator regex in oval + +--- + .../crypto/harden_openssl_crypto_policy/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +index 09199ce4da..37be62ee39 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +@@ -1 +1 @@ +-{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}} ++{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}} + +From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 9 Jul 2020 09:06:29 +0200 +Subject: [PATCH 5/9] reformat rule, fix wrong ocil + +--- + .../harden_openssl_crypto_policy/rule.yml | 22 ++++++++++++++----- + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +index afbdb36a23..d019d6cd32 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -5,13 +5,23 @@ prodtype: rhel8 + title: 'Harden OpenSSL Crypto Policy' + + description: |- +- Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. +- OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact. +- This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. +- Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. ++ Crypto Policies are means of enforcing certain cryptographic settings for ++ selected applications including OpenSSL. OPenSSL is by default configured to ++ modify its configuration based on currently configured Crypto-Policy. ++ However, in certain cases it might be needed to override the Crypto Policy ++ specific to OpenSSL r and leave rest of the Crypto Policy intact. This can ++ be done by dropping a file named opensslcnf-xxx.config, replacing ++ xxx with arbitrary identifier, into ++ /etc/crypto-policies/local.d. This has to be followed by running ++ update-crypto-policies so that changes are applied. Changes are ++ propagated into /etc/crypto-policies/back-ends/opensslcnf.config. ++ This rule checks if this file contains predefined Ciphersuites ++ variable configured with predefined value. + + rationale: |- +- The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. ++ The Common Criteria requirements specify that certain parameters for OpenSSL ++ are configured e.g. cipher suites. Currently particular requirements ++ specified by CC are stricter compared to any existing Crypto Policy. + + severity: medium + +@@ -30,4 +40,4 @@ ocil: |- + To verify if the OpenSSL uses defined Crypto Policy, run: +
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
+ and verify that the line matches +-
84285-6
++
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+ +From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 13 Jul 2020 09:49:34 +0200 +Subject: [PATCH 6/9] update references + +--- + .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +index d019d6cd32..075e381906 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -31,8 +31,8 @@ identifiers: + + references: + nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) +- ospp : FCS_SSHS_EXT.1 +- srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061 ++ ospp: FCS_TLSC_EXT.1.1 ++ srg: SRG-OS-000250-GPOS-00093 + + ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' + + +From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 13 Jul 2020 09:49:48 +0200 +Subject: [PATCH 7/9] add ansible remediation + +--- + .../ansible/shared.yml | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml +new file mode 100644 +index 0000000000..d5c2c2b9f7 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml +@@ -0,0 +1,16 @@ ++# platform = Red Hat Enterprise Linux 8 ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config" ++ lineinfile: ++ path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config" ++ line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" ++ create: yes ++ insertafter: EOF ++ ++- name: "Update system crypto policy for changes to take effect" ++ command: ++ cmd: "update-crypto-policies" + +From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001 +From: vojtapolasek +Date: Wed, 15 Jul 2020 09:26:11 +0200 +Subject: [PATCH 8/9] fix typos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Jan Černý +--- + .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +index 075e381906..ce0351aa34 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy' + + description: |- + Crypto Policies are means of enforcing certain cryptographic settings for +- selected applications including OpenSSL. OPenSSL is by default configured to +- modify its configuration based on currently configured Crypto-Policy. ++ selected applications including OpenSSL. OpenSSL is by default configured to ++ modify its configuration based on currently configured Crypto Policy. + However, in certain cases it might be needed to override the Crypto Policy +- specific to OpenSSL r and leave rest of the Crypto Policy intact. This can ++ specific to OpenSSL and leave rest of the Crypto Policy intact. This can + be done by dropping a file named opensslcnf-xxx.config, replacing + xxx with arbitrary identifier, into + /etc/crypto-policies/local.d. This has to be followed by running + +From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 15 Jul 2020 09:36:06 +0200 +Subject: [PATCH 9/9] update rule references + +--- + .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +index ce0351aa34..0cbead2a6d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -30,8 +30,8 @@ identifiers: + + references: +- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) ++ nist: SC-8(1),SC-13 + ospp: FCS_TLSC_EXT.1.1 +- srg: SRG-OS-000250-GPOS-00093 ++ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223 + + ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' + diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch new file mode 100644 index 0000000..88f8237 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch @@ -0,0 +1,48 @@ +From eb3a18cea5776038d0aeef0299083fcd282a0177 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 17 Aug 2020 15:56:40 +0200 +Subject: [PATCH] Add a missing Crypto Policy rule to OSPP. + +The rule fell out by mistake, this addition complements #4682 +--- + rhel8/profiles/ospp.profile | 1 + + tests/data/profile_stability/rhel8/ospp.profile | 1 + + tests/data/profile_stability/rhel8/stig.profile | 5 +++-- + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 5b5b5b711a..a651885eef 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -235,6 +235,7 @@ selections: + - enable_fips_mode + - var_system_crypto_policy=fips_ospp + - configure_crypto_policy ++ - configure_ssh_crypto_policy + - configure_bind_crypto_policy + - configure_openssl_crypto_policy + - configure_libreswan_crypto_policy +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 5aa3592496..13c4e6b08d 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -62,6 +62,7 @@ selections: + - configure_kerberos_crypto_policy + - configure_libreswan_crypto_policy + - configure_openssl_crypto_policy ++- configure_ssh_crypto_policy + - configure_tmux_lock_after_time + - configure_tmux_lock_command + - configure_usbguard_auditbackend +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 9b164eb5c2..c7fe02169a 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -77,6 +77,7 @@ selections: + - configure_kerberos_crypto_policy + - configure_libreswan_crypto_policy + - configure_openssl_crypto_policy ++- configure_ssh_crypto_policy + - configure_tmux_lock_after_time + - configure_tmux_lock_command + - configure_usbguard_auditbackend diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch new file mode 100644 index 0000000..c469fe6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch @@ -0,0 +1,22 @@ +From 87e62e90df9995de6aca436e9242c0ac4d72e136 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 18 Aug 2020 13:55:12 +0200 +Subject: [PATCH] Added SRG to configure_ssh_crypto_policy + +https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2016-04-25/finding/V-56935 +--- + .../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +index e2dd99dbb5..51788a3226 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +@@ -24,6 +24,7 @@ identifiers: + references: + nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 + cis@rhel8: 5.2.20 ++ srg: SRG-OS-000250-GPOS-00093 + + ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd' + diff --git a/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch b/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch new file mode 100644 index 0000000..e734ce1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch @@ -0,0 +1,209 @@ +From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 7 Jul 2020 11:31:59 +0200 +Subject: [PATCH 1/3] modify rule description and ocil + +--- + .../selinux_all_devicefiles_labeled/rule.yml | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml +index 765fca583e..1667557740 100644 +--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml +@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux' + + description: |- + Device files, which are used for communication with important system +- resources, should be labeled with proper SELinux types. If any device +- files do not carry the SELinux type device_t, report the bug so +- that policy can be corrected. Supply information about what the device is +- and what programs use it. ++ resources, should be labeled with proper SELinux types. If any device files ++ carry the SELinux type device_t or unlabeled_t, report the ++ bug so that policy can be corrected. Supply information about what the ++ device is and what programs use it. +

+- To check for unlabeled device files, run the following command: ++ To check for incorrectly labeled device files, run following commands: +
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
++
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+ It should produce no output in a well-configured system. + + rationale: |- +- If a device file carries the SELinux type device_t, then SELinux +- cannot properly restrict access to the device file. ++ If a device file carries the SELinux type device_t or ++ unlabeled_t, then SELinux cannot properly restrict access to the ++ device file. + + severity: medium + +@@ -45,8 +47,9 @@ references: + ocil_clause: 'there is output' + + ocil: |- +- To check for unlabeled device files, run the following command: ++ To check for incorrectly labeled device files, run following commands: +
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
++
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+ It should produce no output in a well-configured system. + + warnings: + +From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 7 Jul 2020 11:32:57 +0200 +Subject: [PATCH 2/3] updated oval to check only device files + +--- + .../oval/shared.xml | 64 +++++++++++++------ + 1 file changed, 43 insertions(+), 21 deletions(-) + +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml +index 51b68008af..7dcfb98577 100644 +--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml +@@ -2,32 +2,54 @@ + + + Device Files Have Proper SELinux Context +- +- Red Hat Enterprise Linux 6 +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- Red Hat Virtualization 4 +- multi_platform_fedora +- multi_platform_ol +- multi_platform_wrlinux +- +- All device files in /dev should be assigned an SELinux security context other than 'device_t'. ++ {{{- oval_affected(products) }}} ++ All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'. + +- +- ++ ++ ++ + + +- +- +- ++ ++ ++ ++ ++ /dev ++ ^.*$ ++ state_block_or_char_device_file ++ ++ ++ ++ ^(block|character) special$ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- +- +- /dev +- ^.*$ +- state_selinux_all_devicefiles_labeled ++ ++ ++ state_selinux_dev_device_t + +- ++ + device_t + ++ ++ ++ ++ ++ ++ ++ ++ state_selinux_dev_unlabeled_t ++ ++ ++ unlabeled_t ++ ++ + + +From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 7 Jul 2020 11:33:26 +0200 +Subject: [PATCH 3/3] add tests + +--- + .../tests/block_device_device_t.fail.sh | 4 ++++ + .../tests/char_device_unlabeled_t.fail.sh | 14 ++++++++++++++ + .../tests/regular_file_device_t.pass.sh | 4 ++++ + .../tests/symlink_with_wrong_label.pass.sh | 4 ++++ + 4 files changed, 26 insertions(+) + create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh + create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh + +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh +new file mode 100644 +index 0000000000..08c4142e5b +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++mknod /dev/foo b 1 5 ++chcon -t device_t /dev/foo +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh +new file mode 100644 +index 0000000000..1da85c2034 +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++ ++# selinux does not allow unlabeled_t in /dev ++# we have to modify the selinux policy to allow that ++ ++echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil ++semodule -i /tmp/unlabeled_t.cil ++ ++mknod /dev/foo c 1 5 ++chcon -t unlabeled_t /dev/foo ++ ++ ++mknod /dev/foo c 1 5 ++chcon -t device_t /dev/foo +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh +new file mode 100644 +index 0000000000..d161951d7a +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /dev/foo ++restorecon -F /dev/foo +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh +new file mode 100644 +index 0000000000..a8280bf37e +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++ln -s /dev/cpu /dev/foo ++restorecon -F /dev/foo diff --git a/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch b/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch new file mode 100644 index 0000000..927acb5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch @@ -0,0 +1,183 @@ +From 8a6e3fcbe387e6b5476375448964dab198d94959 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 2 Sep 2020 10:01:45 +0200 +Subject: [PATCH] add CUI kickstart for rhel8 + +--- + rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++++++++++++++++++++++++++ + 1 file changed, 167 insertions(+) + create mode 100644 rhel8/kickstart/ssg-rhel8-cui-ks.cfg + +diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg +new file mode 100644 +index 0000000000..0957fded96 +--- /dev/null ++++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg +@@ -0,0 +1,167 @@ ++# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --bootproto dhcp ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" ++logvol swap --name=swap --vgname=VolGroup --size=2016 ++ ++# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) ++# content - security policies - on the installed system.This add-on has been enabled by default ++# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this ++# functionality will automatically be installed. However, by default, no policies are enforced, ++# meaning that no checks are performed during or after installation unless specifically configured. ++# ++# Important ++# Applying a security policy is not necessary on all systems. This screen should only be used ++# when a specific policy is mandated by your organization rules or government regulations. ++# Unlike most other commands, this add-on does not accept regular options, but uses key-value ++# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. ++# Values can be optionally enclosed in single quotes (') or double quotes ("). ++# ++# The following keys are recognized by the add-on: ++# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. ++# - If the content-type is scap-security-guide, the add-on will use content provided by the ++# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. ++# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. ++# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. ++# xccdf-id - ID of the benchmark you want to use. ++# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. ++# profile - ID of the profile to be applied. Use default to apply the default profile. ++# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. ++# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. ++# ++# The following is an example %addon org_fedora_oscap section which uses content from the ++# scap-security-guide on the installation media: ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cui ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 2787a5e..e098e0d 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide -Version: 0.1.48 -Release: 7%{?dist} +Version: 0.1.50 +Release: 14%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD @@ -8,23 +8,34 @@ URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch -Patch1: scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch -Patch2: scap-security-guide-0.1.49-max-path-len-skip-logs.patch -Patch3: scap-security-guide-0.1.49-drop-rsyslog-rules.patch -Patch4: scap-security-guide-0.1.49-update-cobit-uri.patch -Patch5: scap-security-guide-0.1.49-ssh-use-strong-rng.patch -Patch6: scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch -Patch7: scap-security-guide-0.1.49-add-stig-kickstart.patch -Patch8: scap-security-guide-0.1.49-add-rsyslog-to-stig.patch -Patch9: scap-security-guide-0.1.49-add-few-srg-mappings.patch -# Patch10 was generated from squashed commit to prevent 'cannot find file to patch' situations -# from https://github.com/ComplianceAsCode/content/pull/5110 -# HEAD 210ee56aab3f831c96810ca42189642274bd735f -Patch10: scap-security-guide-0.1.49-split-audit-rules.patch -Patch11: scap-security-guide-0.1.49-fix-remaining-srgs.patch -# Patch 12 and 13 had changes to file cce-redhat-avail.txt stripped out, to ease application of patch -Patch12: scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch -Patch13: scap-security-guide-0.1.49-add-cce-openssh-server.patch +Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch +Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch +Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch +Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch +Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch +# Patch6 already contains typo fix +Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch +Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch +Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch +Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch +Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch +Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch +Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch +Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch +Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch +Patch15: scap-security-guide-0.1.52-fix_hipaa_description.patch +Patch16: scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch +Patch17: scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch +Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch +Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch +Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch +Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch +Patch22: scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch +Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch +Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch +Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch +Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch + BuildArch: noarch # To get python3 inside the buildroot require its path explicitly in BuildRequires @@ -72,6 +83,19 @@ present in %{name} package. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 mkdir build %build @@ -106,6 +130,68 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Wed Sep 02 2020 Matěj Týč - 0.1.50-14 +- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962) + +* Tue Aug 25 2020 Watson Sato - 0.1.50-13 +- Enable build of RHEL-8 CUI Profile (RHBZ#1762962) + +* Fri Aug 21 2020 Matěj Týč - 0.1.50-12 +- remove rationale from rules that contain defective links (rhbz#1854854) + +* Thu Aug 20 2020 Matěj Týč - 0.1.50-11 +- fixed link in a grub2 rule description (rhbz#1854854) +- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367) +- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873) + +* Mon Aug 17 2020 Matěj Týč - 0.1.50-10 +- Update the scapval invocation (RHBZ#1815007) +- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007) +- Change the spec file macro invocation from patch to Patch +- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066) + +* Wed Aug 05 2020 Vojtech Polasek - 0.1.50-9 +- fix description of HIPAA profile (RHBZ#1867559) + +* Fri Jul 17 2020 Watson Sato - 0.1.50-8 +- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928) + - Remove CCM from TLS Ciphersuites + +* Mon Jun 29 2020 Matěj Týč - 0.1.50-7 +- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543) + +* Mon Jun 22 2020 Gabriel Becker - 0.1.50-6 +- Fix rsyslog permissions/ownership rules (RHBZ#1781606) + +* Thu May 28 2020 Gabriel Becker - 0.1.50-5 +- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526) + +* Tue May 26 2020 Watson Sato - 0.1.50-4 +- CIS Ansible fixes (RHBZ#1760734) +- HIPAA Ansible fixes (RHBZ#1832760) + +* Mon May 25 2020 Watson Sato - 0.1.50-3 + - HIPAA Profile (RHBZ#1832760) + - Enable build of RHEL8 HIPAA Profile + - Add kickstarts for HIPAA +- CIS Profile (RHBZ#1760734) + - Add Ansible fix for sshd_set_max_sessions + - Add CIS Profile content attribution to Center for Internet Security + +* Fri May 22 2020 Watson Sato - 0.1.50-2 +- Fix Ansible for no_direct_root_logins +- Fix Ansible template for SELinux booleans +- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734) + +* Wed May 20 2020 Watson Sato - 0.1.50-2 +- Update selections in RHEL8 CIS Profile (RHBZ#1760734) + +* Tue May 19 2020 Watson Sato - 0.1.50-1 +- Update to the latest upstream release (RHBZ#1815007) + +* Thu Mar 19 2020 Gabriel Becker - 0.1.49-1 +- Update to the latest upstream release (RHBZ#1815007) + * Tue Feb 11 2020 Watson Sato - 0.1.48-7 - Update baseline package list of OSPP profile