diff --git a/SOURCES/scap-security-guide-0.1.37-fix-aide-scan-email-notification-remediation.patch b/SOURCES/scap-security-guide-0.1.37-fix-aide-scan-email-notification-remediation.patch new file mode 100644 index 0000000..ba8214d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-aide-scan-email-notification-remediation.patch @@ -0,0 +1,46 @@ +From 082b98eca6f4200cf32744582c5ff1b385ea88db Mon Sep 17 00:00:00 2001 +From: Nathan Peters +Date: Wed, 20 Dec 2017 14:36:19 -0800 +Subject: [PATCH 1/2] Updated aide_scan_notification remediation to run cron + job as root + +--- + shared/fixes/bash/aide_scan_notification.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/fixes/bash/aide_scan_notification.sh b/shared/fixes/bash/aide_scan_notification.sh +index ac63227836..3862b21825 100644 +--- a/shared/fixes/bash/aide_scan_notification.sh ++++ b/shared/fixes/bash/aide_scan_notification.sh +@@ -11,6 +11,6 @@ if [ -f /var/spool/cron/root ]; then + fi + + if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then +- echo '0 5 * * * /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB ++ echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB + fi + + +From 6443aac41c6b28198c762d136805aaab090be45d Mon Sep 17 00:00:00 2001 +From: Nathan Peters +Date: Wed, 20 Dec 2017 14:50:36 -0800 +Subject: [PATCH 2/2] Fixed remediation script aide_scan_notification for + regular grep syntax + +--- + shared/fixes/bash/aide_scan_notification.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/fixes/bash/aide_scan_notification.sh b/shared/fixes/bash/aide_scan_notification.sh +index 3862b21825..f6908bda64 100644 +--- a/shared/fixes/bash/aide_scan_notification.sh ++++ b/shared/fixes/bash/aide_scan_notification.sh +@@ -10,7 +10,7 @@ if [ -f /var/spool/cron/root ]; then + VARSPOOL=/var/spool/cron/root + fi + +-if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then ++if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then + echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB + fi + diff --git a/SOURCES/scap-security-guide-0.1.38-aide-scan-email-notification.patch b/SOURCES/scap-security-guide-0.1.38-aide-scan-email-notification.patch new file mode 100644 index 0000000..21b2d5a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.38-aide-scan-email-notification.patch @@ -0,0 +1,88 @@ +From 0a88755485a67e1e29c62196cc506763594f2154 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 1 Feb 2018 08:36:18 +0100 +Subject: [PATCH 1/2] Do not fail aide_scan_notification with other email + adresses + +The rule aide_scan_notification says that AIDE should notify appropriate +personnell of the detials of an AIDE scan. The check currently requires +that the email address of the appropriate personell starts with 'root@'. +In practice, the email address could be any email address. The check +should match any email address. +Fixes RHBZ#1540505 +--- + shared/checks/oval/aide_scan_notification.xml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/shared/checks/oval/aide_scan_notification.xml b/shared/checks/oval/aide_scan_notification.xml +index 3293efb084..3aba02d144 100644 +--- a/shared/checks/oval/aide_scan_notification.xml ++++ b/shared/checks/oval/aide_scan_notification.xml +@@ -23,7 +23,7 @@ + + + /etc/crontab +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$ ++ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ + 1 + + +@@ -32,7 +32,7 @@ + + + /var/spool/cron/root +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$ ++ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ + 1 + + +@@ -42,7 +42,7 @@ + + /etc/cron.(d|daily|weekly|monthly) + ^.*$ +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$ ++ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ + 1 + + + +From 381ca3e54eb2e79c18f613a0d95e187e5e622005 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 5 Feb 2018 09:58:23 +0100 +Subject: [PATCH 2/2] Match at least 1 character in email address + +--- + shared/checks/oval/aide_scan_notification.xml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/shared/checks/oval/aide_scan_notification.xml b/shared/checks/oval/aide_scan_notification.xml +index 3aba02d144..b9f8e78929 100644 +--- a/shared/checks/oval/aide_scan_notification.xml ++++ b/shared/checks/oval/aide_scan_notification.xml +@@ -23,7 +23,7 @@ + + + /etc/crontab +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ ++ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + 1 + + +@@ -32,7 +32,7 @@ + + + /var/spool/cron/root +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ ++ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + 1 + + +@@ -42,7 +42,7 @@ + + /etc/cron.(d|daily|weekly|monthly) + ^.*$ +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ ++ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + 1 + + diff --git a/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch b/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch new file mode 100644 index 0000000..5101aa7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch @@ -0,0 +1,426 @@ +From add7cd5c5a99e7b7d546aa0296885d7da1806d5f Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Thu, 22 Feb 2018 22:49:54 +0100 +Subject: [PATCH 1/2] Fix kernel module loading and unloading rules + +Fixed rule descriptions to make more sense, and fixing remediation +of general rule to set auditing of both b32 and b64 syscalls on +64-bit systems. +--- + .../bash/audit_rules_kernel_module_loading.sh | 10 +- + .../audit_rules_kernel_module_loading_delete.sh | 8 +- + .../bash/audit_rules_kernel_module_loading_init.sh | 8 +- + shared/xccdf/system/auditing.xml | 161 ++++++++++----------- + 4 files changed, 91 insertions(+), 96 deletions(-) + +diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading.sh b/shared/fixes/bash/audit_rules_kernel_module_loading.sh +index 12d6dd0181..268da407f7 100644 +--- a/shared/fixes/bash/audit_rules_kernel_module_loading.sh ++++ b/shared/fixes/bash/audit_rules_kernel_module_loading.sh +@@ -5,11 +5,11 @@ + + # First perform the remediation of the syscall rule + # Retrieve hardware architecture of the underlying system +-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => +-# it's not required on a 64-bit system to check also for the presence +-# of 32-bit's equivalent of the corresponding rule. Therefore for +-# each system it's enought to check presence of system's native rule form. +-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") ++# Note: 32-bit and 64-bit kernel syscall numbers not always line up => ++# it's required on a 64-bit system to check also for the presence ++# of 32-bit's equivalent of the corresponding rule. ++# (See `man 7 audit.rules` for details ) ++[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + + for ARCH in "${RULE_ARCHS[@]}" + do +diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +index 59aadeeef8..131f1a2819 100644 +--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh ++++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +@@ -5,10 +5,10 @@ + + # First perform the remediation of the syscall rule + # Retrieve hardware architecture of the underlying system +-# If the system has a 32-bit processor, only the 32-bit rule is needed. +-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in +-# the audit file because it is not possible to know if the computer will be booted +-# in 64 or 32 bit mode or for which architecture a binary is compiled. ++# Note: 32-bit and 64-bit kernel syscall numbers not always line up => ++# it's required on a 64-bit system to check also for the presence ++# of 32-bit's equivalent of the corresponding rule. ++# (See `man 7 audit.rules` for details ) + [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + + for ARCH in "${RULE_ARCHS[@]}" +diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +index 04b06f9dee..c46a854068 100644 +--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh ++++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +@@ -5,10 +5,10 @@ + + # First perform the remediation of the syscall rule + # Retrieve hardware architecture of the underlying system +-# If the system has a 32-bit processor, only the 32-bit rule is needed. +-# If the system has a 64-bit processor, both arch 32 and 64 need to be included in +-# the audit file because it is not possible to know if the computer will be booted +-# in 64 or 32 bit mode or for which architecture a binary is compiled. ++# Note: 32-bit and 64-bit kernel syscall numbers not always line up => ++# it's required on a 64-bit system to check also for the presence ++# of 32-bit's equivalent of the corresponding rule. ++# (See `man 7 audit.rules` for details ) + [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + + for ARCH in "${RULE_ARCHS[@]}" +diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml +index 85487ee417..b68820fe9b 100644 +--- a/shared/xccdf/system/auditing.xml ++++ b/shared/xccdf/system/auditing.xml +@@ -113,7 +113,7 @@ to establish, correlate, and investigate the events leading up to an outage or a + Ensuring the auditd service is active ensures audit records + generated by the kernel are appropriately recorded. +

+-Additionally, a properly configured audit subsystem ensures that actions of ++Additionally, a properly configured audit subsystem ensures that actions of + individual system users can be uniquely traced to those users so they + can be held accountable for their actions. + +@@ -727,7 +727,7 @@ with limited audit storage capacity. + + + +- ++ + + + +@@ -3401,42 +3401,40 @@ of what was executed on the system, as well as, for accountability purposes. + Record Information on Kernel Modules Loading and Unloading +-If the auditd daemon is configured to use the augenrules program +-to read audit rules during daemon startup (the default), add the following lines to a file +-with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-
-w /usr/sbin/insmod -p x -k modules
+--w /usr/sbin/rmmod -p x -k modules
+--w /usr/sbin/modprobe -p x -k modules
+--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
+-If the auditd daemon is configured to use the auditctl utility to read audit +-rules during daemon startup, add the following lines to /etc/audit/audit.rules file +-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +-b64 as appropriate for your system: +-
-w /usr/sbin/insmod -p x -k modules
++To capture kernel module loading and unloading events, use following lines, setting ARCH to
++either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
++
++-w /usr/sbin/insmod -p x -k modules
+ -w /usr/sbin/rmmod -p x -k modules
+ -w /usr/sbin/modprobe -p x -k modules
+--a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
++-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules ++
++ ++Place to add the lines depends on a way auditd daemon is configured. If it is configured ++to use the augenrules program (the default), add the lines to a file with suffix ++.rules in the directory /etc/audit/rules.d. ++ ++If the auditd daemon is configured to use the auditctl utility, ++add the lines to file /etc/audit/audit.rules. +
+ + + Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading +-If the auditd daemon is configured to use the augenrules program +-to read audit rules during daemon startup (the default), add the following lines to a file +-with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-
-w /usr/sbin/insmod -p x -k modules
+--w /usr/sbin/rmmod -p x -k modules
+--w /usr/sbin/modprobe -p x -k modules
+--a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
+-If the auditd daemon is configured to use the auditctl utility to read audit +-rules during daemon startup, add the following lines to /etc/audit/audit.rules file +-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +-b64 as appropriate for your system: +-
-w /usr/sbin/insmod -p x -k modules
++To capture kernel module loading and unloading events, use following lines, setting ARCH to
++either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
++
++-w /usr/sbin/insmod -p x -k modules
+ -w /usr/sbin/rmmod -p x -k modules
+ -w /usr/sbin/modprobe -p x -k modules
+--a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
++-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules ++
++ ++Place to add the lines depends on a way auditd daemon is configured. If it is configured ++to use the augenrules program (the default), add the lines to a file with suffix ++.rules in the directory /etc/audit/rules.d. ++ ++If the auditd daemon is configured to use the auditctl utility, ++add the lines to file /etc/audit/audit.rules. +
+ + +@@ -3452,22 +3450,22 @@ to have an audit trail of modules that have been introduced into the kernel. + + +-Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - init_module +-If the auditd daemon is configured to use the augenrules program +-to read audit rules during daemon startup (the default), add the following lines to a file +-with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-
-a always,exit -F arch=ARCH -S init_module -F key=modules
+-If the auditd daemon is configured to use the auditctl utility to read audit +-rules during daemon startup, add the following lines to /etc/audit/audit.rules file +-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +-b64 as appropriate for your system: ++Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - init_module ++To capture kernel module loading events, use following line, setting ARCH to ++either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: +
-a always,exit -F arch=ARCH -S init_module -F key=modules
++ ++Place to add the line depends on a way auditd daemon is configured. If it is configured ++to use the augenrules program (the default), add the line to a file with suffix ++.rules in the directory /etc/audit/rules.d. ++ ++If the auditd daemon is configured to use the auditctl utility, ++add the line to file /etc/audit/audit.rules. +
+ + + +-The addition/removal of kernel modules can be used to alter the behavior of ++The addition of kernel modules can be used to alter the behavior of + the kernel and potentially introduce malicious code into kernel space. It is important + to have an audit trail of modules that have been introduced into the kernel. + +@@ -3478,22 +3476,22 @@ to have an audit trail of modules that have been introduced into the kernel. + + +-Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - delete_module +-If the auditd daemon is configured to use the augenrules program +-to read audit rules during daemon startup (the default), add the following lines to a file +-with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-
-a always,exit -F arch=ARCH -S delete_module -F key=modules
+-If the auditd daemon is configured to use the auditctl utility to read audit +-rules during daemon startup, add the following lines to /etc/audit/audit.rules file +-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +-b64 as appropriate for your system: ++Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - delete_module ++To capture kernel module unloading events, use following line, setting ARCH to ++either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: +
-a always,exit -F arch=ARCH -S delete_module -F key=modules
++ ++Place to add the line depends on a way auditd daemon is configured. If it is configured ++to use the augenrules program (the default), add the line to a file with suffix ++.rules in the directory /etc/audit/rules.d. ++ ++If the auditd daemon is configured to use the auditctl utility, ++add the line to file /etc/audit/audit.rules. +
+ + + +-The addition/removal of kernel modules can be used to alter the behavior of ++The removal of kernel modules can be used to alter the behavior of + the kernel and potentially introduce malicious code into kernel space. It is important + to have an audit trail of modules that have been introduced into the kernel. + +@@ -3504,23 +3502,22 @@ to have an audit trail of modules that have been introduced into the kernel. + + +-Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - insmod +-If the auditd daemon is configured to use the augenrules program +-to read audit rules during daemon startup (the default), add the following lines to a file +-with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-
-w /usr/sbin/insmod -p x -k modules
+-If the auditd daemon is configured to use the auditctl utility to read audit +-rules during daemon startup, add the following lines to /etc/audit/audit.rules file +-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +-b64 as appropriate for your system: ++Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - insmod ++To capture invocation of insmod, utility used to insert modules into kernel, ++use the following line: +
-w /usr/sbin/insmod -p x -k modules
++Place to add the line depends on a way auditd daemon is configured. If it is configured ++to use the augenrules program (the default), add the line to a file with suffix ++.rules in the directory /etc/audit/rules.d. ++ ++If the auditd daemon is configured to use the auditctl utility, ++add the line to file /etc/audit/audit.rules. +
+ + To verify that auditing is configured for system administrator actions, run the following command: +
$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
+
+-The addition/removal of kernel modules can be used to alter the behavior of ++The addition of kernel modules can be used to alter the behavior of + the kernel and potentially introduce malicious code into kernel space. It is important + to have an audit trail of modules that have been introduced into the kernel. + +@@ -3531,23 +3528,22 @@ to have an audit trail of modules that have been introduced into the kernel. + + +-Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - rmmod +-If the auditd daemon is configured to use the augenrules program +-to read audit rules during daemon startup (the default), add the following lines to a file +-with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-
-w /usr/sbin/rmmod -p x -k modules
+-If the auditd daemon is configured to use the auditctl utility to read audit +-rules during daemon startup, add the following lines to /etc/audit/audit.rules file +-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +-b64 as appropriate for your system: ++Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - rmmod ++To capture invocation of rmmod, utility used to remove modules from kernel, ++add the following line: +
-w /usr/sbin/rmmod -p x -k modules
++Place to add the line depends on a way auditd daemon is configured. If it is configured ++to use the augenrules program (the default), add the line to a file with suffix ++.rules in the directory /etc/audit/rules.d. ++ ++If the auditd daemon is configured to use the auditctl utility, ++add the line to file /etc/audit/audit.rules. +
+ + To verify that auditing is configured for system administrator actions, run the following command: +
$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
+
+-The addition/removal of kernel modules can be used to alter the behavior of ++The removal of kernel modules can be used to alter the behavior of + the kernel and potentially introduce malicious code into kernel space. It is important + to have an audit trail of modules that have been introduced into the kernel. + +@@ -3559,16 +3555,15 @@ to have an audit trail of modules that have been introduced into the kernel. + Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - modprobe +-If the auditd daemon is configured to use the augenrules program +-to read audit rules during daemon startup (the default), add the following lines to a file +-with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-
-w /usr/sbin/modprobe -p x -k modules
+-If the auditd daemon is configured to use the auditctl utility to read audit +-rules during daemon startup, add the following lines to /etc/audit/audit.rules file +-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +-b64 as appropriate for your system: ++To capture invocation of modprobe, utility used to insert / remove modules from kernel, ++add the following line: +
-w /usr/sbin/modprobe -p x -k modules
++Place to add the line depends on a way auditd daemon is configured. If it is configured ++to use the augenrules program (the default), add the line to a file with suffix ++.rules in the directory /etc/audit/rules.d. ++ ++If the auditd daemon is configured to use the auditctl utility, ++add the line to file /etc/audit/audit.rules. +
+ + To verify that auditing is configured for system administrator actions, run the following command: + +From 2a9d3771707c7db41861dbf3ca03c8a455481ba8 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Thu, 22 Feb 2018 23:13:29 +0100 +Subject: [PATCH 2/2] Add basic tests for kernel module loading and unloading + rules + +--- + .../rule_audit_rules_kernel_module_loading/default.fail.sh | 7 +++++++ + .../rule_audit_rules_kernel_module_loading_delete/default.fail.sh | 7 +++++++ + .../rule_audit_rules_kernel_module_loading_init/default.fail.sh | 7 +++++++ + .../rule_audit_rules_kernel_module_loading_insmod/default.fail.sh | 7 +++++++ + .../default.fail.sh | 7 +++++++ + .../rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh | 7 +++++++ + 6 files changed, 42 insertions(+) + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh + +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh +new file mode 100644 +index 0000000000..48457258e5 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh +new file mode 100644 +index 0000000000..12fe012776 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh +new file mode 100644 +index 0000000000..12fe012776 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh +new file mode 100644 +index 0000000000..12fe012776 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh +new file mode 100644 +index 0000000000..12fe012776 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh +new file mode 100644 +index 0000000000..12fe012776 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true diff --git a/SOURCES/scap-security-guide-0.1.39-fix-failing-rules-for-PCI-DSS-DISA-UGSCB.patch b/SOURCES/scap-security-guide-0.1.39-fix-failing-rules-for-PCI-DSS-DISA-UGSCB.patch new file mode 100644 index 0000000..fc7645f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.39-fix-failing-rules-for-PCI-DSS-DISA-UGSCB.patch @@ -0,0 +1,6159 @@ +From 47cbe417900d38f1ad98d9adee4b3382cdc80311 Mon Sep 17 00:00:00 2001 +From: Nathan Peters +Date: Fri, 5 Jan 2018 17:39:42 -0800 +Subject: [PATCH 1/2] updated kernel module loading init and delete to use b32 + and b64 + +--- + shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh | 2 +- + shared/fixes/bash/audit_rules_kernel_module_loading_init.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +index 97cdfae457..76a29eedc4 100644 +--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh ++++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +@@ -9,7 +9,7 @@ + # it's not required on a 64-bit system to check also for the presence + # of 32-bit's equivalent of the corresponding rule. Therefore for + # each system it's enought to check presence of system's native rule form. +-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") ++[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + + for ARCH in "${RULE_ARCHS[@]}" + do +diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +index 83f904bab7..ec275c91f8 100644 +--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh ++++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +@@ -9,7 +9,7 @@ + # it's not required on a 64-bit system to check also for the presence + # of 32-bit's equivalent of the corresponding rule. Therefore for + # each system it's enought to check presence of system's native rule form. +-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") ++[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + + for ARCH in "${RULE_ARCHS[@]}" + do + +From 23d66767a7f6100481f985d4282ffe19ab5bc26c Mon Sep 17 00:00:00 2001 +From: Nathan Peters +Date: Fri, 12 Jan 2018 10:31:51 -0800 +Subject: [PATCH 2/2] updated comments to not contradict the remediation code + +--- + shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh | 8 ++++---- + shared/fixes/bash/audit_rules_kernel_module_loading_init.sh | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +index 76a29eedc4..59aadeeef8 100644 +--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh ++++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh +@@ -5,10 +5,10 @@ + + # First perform the remediation of the syscall rule + # Retrieve hardware architecture of the underlying system +-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => +-# it's not required on a 64-bit system to check also for the presence +-# of 32-bit's equivalent of the corresponding rule. Therefore for +-# each system it's enought to check presence of system's native rule form. ++# If the system has a 32-bit processor, only the 32-bit rule is needed. ++# If the system has a 64-bit processor, both arch 32 and 64 need to be included in ++# the audit file because it is not possible to know if the computer will be booted ++# in 64 or 32 bit mode or for which architecture a binary is compiled. + [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + + for ARCH in "${RULE_ARCHS[@]}" +diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +index ec275c91f8..04b06f9dee 100644 +--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh ++++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh +@@ -5,10 +5,10 @@ + + # First perform the remediation of the syscall rule + # Retrieve hardware architecture of the underlying system +-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => +-# it's not required on a 64-bit system to check also for the presence +-# of 32-bit's equivalent of the corresponding rule. Therefore for +-# each system it's enought to check presence of system's native rule form. ++# If the system has a 32-bit processor, only the 32-bit rule is needed. ++# If the system has a 64-bit processor, both arch 32 and 64 need to be included in ++# the audit file because it is not possible to know if the computer will be booted ++# in 64 or 32 bit mode or for which architecture a binary is compiled. + [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + + for ARCH in "${RULE_ARCHS[@]}" +From 27363bc92905f8b7a5271480c64051869f2565d8 Mon Sep 17 00:00:00 2001 +From: Nathan Peters +Date: Thu, 18 Jan 2018 17:18:07 -0800 +Subject: [PATCH] fixed syntax issue with sed expression in + auditd_data_retention_space_left.sh + +--- + shared/fixes/bash/auditd_data_retention_space_left.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh +index 1c13cd4e34..f4ae92b044 100644 +--- a/shared/fixes/bash/auditd_data_retention_space_left.sh ++++ b/shared/fixes/bash/auditd_data_retention_space_left.sh +@@ -3,7 +3,7 @@ + populate var_auditd_space_left + + grep -q ^space_left /etc/audit/auditd.conf && \ +- sed -i "s/space_left.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf ++ sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf + if ! [ $? -eq 0 ]; then + echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf + fi +From 0aca8aa12b070625f138e4e1f90622e89e8b6f21 Mon Sep 17 00:00:00 2001 +From: OnceUponALoop +Date: Mon, 26 Feb 2018 20:58:06 -0600 +Subject: [PATCH] Fixes #2607 - audit_rules_login_events + +--- + shared/templates/create_audit_rules_login_events.py | 2 +- + shared/templates/csv/audit_rules_login_events.csv | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/templates/create_audit_rules_login_events.py b/shared/templates/create_audit_rules_login_events.py +index 111a27a130..3dc1f5cb0d 100644 +--- a/shared/templates/create_audit_rules_login_events.py ++++ b/shared/templates/create_audit_rules_login_events.py +@@ -14,7 +14,7 @@ + class AuditRulesLoginEventsGenerator(FilesGenerator): + def generate(self, target, args): + path = args[0] +- name = re.sub('[-\./]', '_', os.path.basename(path)) ++ name = re.sub('[-\./]', '_', os.path.basename(os.path.normpath(path))) + if target == "oval": + self.file_from_template( + "./template_OVAL_audit_rules_login_events", +diff --git a/shared/templates/csv/audit_rules_login_events.csv b/shared/templates/csv/audit_rules_login_events.csv +index cdec8d6b8e..5c9793afbe 100644 +--- a/shared/templates/csv/audit_rules_login_events.csv ++++ b/shared/templates/csv/audit_rules_login_events.csv +@@ -1,3 +1,3 @@ +-/var/run/faillock ++/var/run/faillock/ + /var/log/lastlog + /var/log/tallylog +From 318cc38b11f8b7fc6d4a30dd7db20f5bc57a4c8d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 12 Mar 2018 18:37:34 +0100 +Subject: [PATCH 1/4] Add tests for ensure_logrotate_activated + +--- + .../rule_ensure_logrotate_activated/cron_daily_configured.pass.sh | 7 +++++++ + .../logrotate_conf_configured.pass.sh | 8 ++++++++ + .../rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh | 6 ++++++ + .../rule_ensure_logrotate_activated/logrotate_no_config.fail.sh | 6 ++++++ + 4 files changed, 27 insertions(+) + create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh + create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh + create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh + create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh + +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh +new file mode 100644 +index 0000000000..2debba3186 +--- /dev/null ++++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++ ++# make sure config in logrotate conf is misconfigured ++sed -i "s/daily/weekly/" /etc/logrotate.conf ++ ++# default for cron.daily for RHEL7 is already correct +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh +new file mode 100644 +index 0000000000..0521eac274 +--- /dev/null ++++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++ ++# fix logrotate config ++sed -i "s/weekly/daily/" /etc/logrotate.conf ++ ++# remove default for cron.daily ++rm /etc/cron.daily/logrotate +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh +new file mode 100644 +index 0000000000..671da30c0b +--- /dev/null ++++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = none ++ ++sed -i "s/daily/weekly/" /etc/logrotate.conf ++rm /etc/cron.daily/logrotate +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh +new file mode 100644 +index 0000000000..69c0ca7ee5 +--- /dev/null ++++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = none ++ ++sed -i "/^daily/d" /etc/logrotate.conf ++rm /etc/cron.daily/logrotate + +From 4301c45fffa27dfc03eee6b8b88301d888fb011b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 12 Mar 2018 19:00:03 +0100 +Subject: [PATCH 2/4] Update OVAL check for ensure_logrotate_activated + +Other parameters can be passed to logrotate besides the config file. +And according to logrotate man page, there can be multiple configuration +files, and the later ones override configuration done on earlier files. + +So we allow other parameters between logrotate command and config file, +and ensure that /etc/logrotate.conf is the last file. +--- + shared/checks/oval/ensure_logrotate_activated.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/checks/oval/ensure_logrotate_activated.xml b/shared/checks/oval/ensure_logrotate_activated.xml +index 641e4516ae..9feb9b7fdc 100644 +--- a/shared/checks/oval/ensure_logrotate_activated.xml ++++ b/shared/checks/oval/ensure_logrotate_activated.xml +@@ -65,7 +65,7 @@ + + + /etc/cron.daily/logrotate +- ^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$ ++ ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ + 1 + + + +From ef15dd31ede1b96aa9b04feece43cc8d6c609ab8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 12 Mar 2018 19:51:54 +0100 +Subject: [PATCH 3/4] Add remediation for ensure_logrotate_activate + +--- + shared/fixes/bash/ensure_logrotate_activated.sh | 7 +++++++ + .../rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh | 1 - + .../rule_ensure_logrotate_activated/logrotate_no_config.fail.sh | 1 - + 3 files changed, 7 insertions(+), 2 deletions(-) + create mode 100644 shared/fixes/bash/ensure_logrotate_activated.sh + +diff --git a/shared/fixes/bash/ensure_logrotate_activated.sh b/shared/fixes/bash/ensure_logrotate_activated.sh +new file mode 100644 +index 0000000000..2d22e0df8b +--- /dev/null ++++ b/shared/fixes/bash/ensure_logrotate_activated.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_rhel ++ ++# daily rotation is configured ++grep -q "^daily$" /etc/logrotate.conf || echo "daily" >> /etc/logrotate.conf ++ ++# remove any line configuring weekly, monthly or yearly rotation ++sed -i -r "/^(weekly|monthly|yearly)$/d" /etc/logrotate.conf +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh +index 671da30c0b..8c93377e76 100644 +--- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh ++++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh +@@ -1,6 +1,5 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss +-# remediation = none + + sed -i "s/daily/weekly/" /etc/logrotate.conf + rm /etc/cron.daily/logrotate +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh +index 69c0ca7ee5..88679f329f 100644 +--- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh ++++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh +@@ -1,6 +1,5 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss +-# remediation = none + + sed -i "/^daily/d" /etc/logrotate.conf + rm /etc/cron.daily/logrotate + +From 44dc057232f17467597ed03416cd7417fde5430f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 13 Mar 2018 16:45:01 +0100 +Subject: [PATCH 4/4] logrotate needs conf and crontab configured + +- Update OVAL definition to check for both logrotate.conf and cron.daily +- Update remediation to add logrotate to cron.daily +- Update test scenrios accordingly +--- + shared/checks/oval/ensure_logrotate_activated.xml | 2 +- + shared/fixes/bash/ensure_logrotate_activated.sh | 13 +++++++++++-- + .../logrotate_conf_weekly.fail.sh | 1 - + ...aily_configured.pass.sh => logrotate_configured.pass.sh} | 4 ++-- + ...f_configured.pass.sh => logrotate_no_cron_daily.fail.sh} | 0 + 5 files changed, 14 insertions(+), 6 deletions(-) + rename tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/{cron_daily_configured.pass.sh => logrotate_configured.pass.sh} (56%) + rename tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/{logrotate_conf_configured.pass.sh => logrotate_no_cron_daily.fail.sh} (100%) + +diff --git a/shared/checks/oval/ensure_logrotate_activated.xml b/shared/checks/oval/ensure_logrotate_activated.xml +index 9feb9b7fdc..a34caaab5c 100644 +--- a/shared/checks/oval/ensure_logrotate_activated.xml ++++ b/shared/checks/oval/ensure_logrotate_activated.xml +@@ -11,7 +11,7 @@ + The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily +
+ +- ++ + + > /etc/logrotate.conf ++grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE + + # remove any line configuring weekly, monthly or yearly rotation +-sed -i -r "/^(weekly|monthly|yearly)$/d" /etc/logrotate.conf ++sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE ++ ++# configure cron.daily if not already ++if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then ++ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE ++ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE ++fi +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh +index 8c93377e76..30d1e29008 100644 +--- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh ++++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh +@@ -2,4 +2,3 @@ + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + + sed -i "s/daily/weekly/" /etc/logrotate.conf +-rm /etc/cron.daily/logrotate +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh +similarity index 56% +rename from tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh +rename to tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh +index 2debba3186..170b8e9ed8 100644 +--- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh ++++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + +-# make sure config in logrotate conf is misconfigured +-sed -i "s/daily/weekly/" /etc/logrotate.conf ++# fix logrotate config ++sed -i "s/weekly/daily/" /etc/logrotate.conf + + # default for cron.daily for RHEL7 is already correct +diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_cron_daily.fail.sh +similarity index 100% +rename from tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh +rename to tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_cron_daily.fail.sh +From 9b32280bb07c28281f7bd97663e783e1846d4dc9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 13 Mar 2018 19:54:13 +0100 +Subject: [PATCH 1/8] Add test scenarios for audit_rules_login_events + +- default fail - no rules at all +- default pass - default watch rules for tallylog, faillock and lastlog +--- + .../rule_audit_rules_login_events/default.fail.sh | 7 +++++++ + .../rule_audit_rules_login_events/default.pass.sh | 9 +++++++++ + 2 files changed, 16 insertions(+) + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh + +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh +new file mode 100644 +index 0000000000..ab4dc70c93 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh +new file mode 100644 +index 0000000000..4f81075d4b +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/rules.d/logins.rules ++echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/logins.rules ++echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/logins.rules ++ ++cat /etc/audit/rules.d/logins.rules + +From 3743d6b1fdc6cfd7b2cdb2d4d934e47d9c456441 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 13 Mar 2018 20:16:20 +0100 +Subject: [PATCH 2/8] Add test scenarios for + auditd_data_retention_space_left_action + +- action_email - configures action to email +- action_not_there - removes any configuration of space_left_action +--- + .../action_email.pass.sh | 5 +++++ + .../action_not_there.fail.sh | 5 +++++ + 2 files changed, 10 insertions(+) + create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh + +diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh +new file mode 100644 +index 0000000000..e340fef316 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa ++# remediation = bash ++ ++sed -i "s/^space_left_action = .*$/space_left_action = email/" /etc/audit/auditd.conf +diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh +new file mode 100644 +index 0000000000..13707b20da +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa ++# remediation = bash ++ ++sed -i "/^space_left_action = /d" /etc/audit/auditd.conf + +From 580f2d489741e293ceeb4e3863298351d0ac5c29 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 14 Mar 2018 15:47:28 +0100 +Subject: [PATCH 3/8] Add test scenarios for audit_data_retention_space_left + +- space_left pass - auditd.conf configured with enough space +- space_left_not_enough fail - auditd.conf configured with low space +- space_left_not_there fail - auditd.conf without space_left parameter +--- + .../rule_auditd_data_retention_space_left/space_left.pass.sh | 9 +++++++++ + .../space_left_not_enough.fail.sh | 5 +++++ + .../space_left_not_there.fail.sh | 5 +++++ + 3 files changed, 19 insertions(+) + create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh + +diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh +new file mode 100644 +index 0000000000..2e24c0ab86 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa ++# remediation = bash ++ ++if grep -q "^space_left[[:space:]]*= " /etc/audit/auditd.conf; then ++ sed -i "s/^space_left = .*$/space_left = 100/" /etc/audit/auditd.conf ++else ++ echo "space_left = 100" >> /etc/audit/auditd.conf ++fi +diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh +new file mode 100644 +index 0000000000..637d9a0b3f +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa ++# remediation = bash ++ ++sed -i "s/^space_left = .*$/space_left = 15/" /etc/audit/auditd.conf +diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh +new file mode 100644 +index 0000000000..71d459fdec +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa ++# remediation = bash ++ ++sed -i "/^space_left = /d" /etc/audit/auditd.conf + +From 269ab3e0422b97e6c3593850e4fe93020436047b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 14 Mar 2018 16:30:20 +0100 +Subject: [PATCH 4/8] Fix append scenario in remediation for + audit_data_retention_space_left + +Remediation for auditd_data_retention_space_left could not add +configuration line when it was missing. + +grep command would return 0, sed command would not find the +configuration line to replace and return 0. +Subsequent if would consume $? equal 0 and not append config. + +Use of function replace_or_append is not easy here, [[:space:]] is not +handled correctly. +--- + shared/fixes/bash/auditd_data_retention_space_left.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh +index f4ae92b044..2ed771b2d2 100644 +--- a/shared/fixes/bash/auditd_data_retention_space_left.sh ++++ b/shared/fixes/bash/auditd_data_retention_space_left.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate var_auditd_space_left + +-grep -q ^space_left /etc/audit/auditd.conf && \ ++grep -q "^space_left[[:space:]]*=" /etc/audit/auditd.conf && \ + sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf + if ! [ $? -eq 0 ]; then + echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf + +From 3afa2f4dad4de2c3d98bf9f1bdf554778f6bc33a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 14 Mar 2018 18:49:36 +0100 +Subject: [PATCH 5/8] Add test scenarios for audit_rules_privileged_commands + +- rules_configure pass - tests audit rules for default installation +- own_key pass - tests audit rules with custom key +- default fail - tests default installation without any configuration +- removes all rules.d fail - tests remediation when rules.d is empty +--- + .../default.fail.sh | 5 ++++ + .../own_key.rules | 30 ++++++++++++++++++++++ + .../privileged.rules | 30 ++++++++++++++++++++++ + .../remove_all_rules.d.fail.sh | 7 +++++ + .../rules_configured.pass.sh | 5 ++++ + .../rules_with_own_key.pass.sh | 5 ++++ + 6 files changed, 82 insertions(+) + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh + +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh +new file mode 100644 +index 0000000000..96e9f70a89 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules +new file mode 100644 +index 0000000000..4df6d4ec8b +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules +@@ -0,0 +1,30 @@ ++-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ++-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules +new file mode 100644 +index 0000000000..4eb644acbc +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules +@@ -0,0 +1,30 @@ ++-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh +new file mode 100644 +index 0000000000..ab4dc70c93 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules ++true +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh +new file mode 100644 +index 0000000000..1aca5a0c00 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++cp privileged.rules /etc/audit/rules.d/ +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh +new file mode 100644 +index 0000000000..4fecb12817 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++cp own_key.rules /etc/audit/rules.d/privileged.rules + +From b00609abc38092461e9ab034ed74476772c71761 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 14 Mar 2018 18:55:56 +0100 +Subject: [PATCH 6/8] Enable function perform_audit_rules to handle empty rules + directory + +When /etc/audit/rules.d was empty, the remediation function would not +add any rule into output rules file. +--- + .../perform_audit_rules_privileged_commands_remediation.sh | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +index 5fac50ef07..3f48afabe3 100644 +--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh ++++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +@@ -78,6 +78,15 @@ do + # presence of existing audit rule for new sbinary + local count_of_inspected_files=0 + ++ # Define expected rule form for this binary ++ expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" ++ ++ # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary ++ if [[ ${#files_to_inspect[@]} -eq 0 ]]; then ++ echo "$expected_rule" >> "$output_audit_file" ++ continue ++ fi ++ + # For each audit rules file from the list of files to be inspected + for afile in "${files_to_inspect[@]}" + do +@@ -96,9 +105,6 @@ do + # Increase the count of inspected files for this sbinary + count_of_inspected_files=$((count_of_inspected_files + 1)) + +- # Define expected rule form for this binary +- expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" +- + # Require execute access type to be set for existing audit rule + exec_access='x' + +@@ -155,6 +161,7 @@ do + # Current audit rules file's content doesn't contain expected rule for this + # SUID/SGID binary yet => append it + echo $expected_rule >> $output_audit_file ++ continue + fi + + done + +From bbdbd508e3c2d60100abe533f50929748f375a2d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 19 Mar 2018 18:20:05 +0100 +Subject: [PATCH 7/8] Make regexes for space_left tests consistent + +--- + shared/fixes/bash/auditd_data_retention_space_left.sh | 4 ++-- + .../rule_auditd_data_retention_space_left/space_left.pass.sh | 5 +++-- + .../space_left_not_enough.fail.sh | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh +index 2ed771b2d2..3cd4306aa8 100644 +--- a/shared/fixes/bash/auditd_data_retention_space_left.sh ++++ b/shared/fixes/bash/auditd_data_retention_space_left.sh +@@ -2,8 +2,8 @@ + . /usr/share/scap-security-guide/remediation_functions + populate var_auditd_space_left + +-grep -q "^space_left[[:space:]]*=" /etc/audit/auditd.conf && \ +- sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf ++grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ ++ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf + if ! [ $? -eq 0 ]; then + echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf + fi +diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh +index 2e24c0ab86..dde1f2be94 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh +@@ -2,8 +2,9 @@ + # profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa + # remediation = bash + +-if grep -q "^space_left[[:space:]]*= " /etc/audit/auditd.conf; then +- sed -i "s/^space_left = .*$/space_left = 100/" /etc/audit/auditd.conf ++SPACE_LEFT_REGEX="^space_left[[:space:]]*=.*$" ++if grep -q "$SPACE_LEFT_REGEX" /etc/audit/auditd.conf; then ++ sed -i "s/$SPACE_LEFT_REGEX/space_left = 100/" /etc/audit/auditd.conf + else + echo "space_left = 100" >> /etc/audit/auditd.conf + fi +diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh +index 637d9a0b3f..0d1b1a3911 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh +@@ -2,4 +2,4 @@ + # profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa + # remediation = bash + +-sed -i "s/^space_left = .*$/space_left = 15/" /etc/audit/auditd.conf ++sed -i "s/^space_left[[:space:]]*=.*$/space_left = 15/" /etc/audit/auditd.conf + +From 9f1569a0a572ae4ac2fa002c622cebbc23ff5a45 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 19 Mar 2018 18:22:24 +0100 +Subject: [PATCH 8/8] Chain echo command with OR + +The remediation will sed or echo the config file. +--- + shared/fixes/bash/auditd_data_retention_space_left.sh | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh +index 3cd4306aa8..67ab813d48 100644 +--- a/shared/fixes/bash/auditd_data_retention_space_left.sh ++++ b/shared/fixes/bash/auditd_data_retention_space_left.sh +@@ -3,7 +3,5 @@ + populate var_auditd_space_left + + grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ +- sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf +-if ! [ $? -eq 0 ]; then +- echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf +-fi ++ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ ++ echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf +From 155b606d318d0995d094183e7278707c310172de Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 15 Mar 2018 17:23:00 +0100 +Subject: [PATCH 1/7] Add tests for network_ipv6_disable_rpc + +- rpc_disabled pass - correct configuration in /etc/netconfig +- default fail - default installation configuration +--- + .../rule_network_ipv6_disable_rpc/default.fail.sh | 7 +++++++ + .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 7 +++++++ + 2 files changed, 14 insertions(+) + create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh + create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh + +diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh +new file mode 100644 +index 0000000000..ff0a92e368 +--- /dev/null ++++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# remediation = bash ++ ++# default config has rpc enabled ++true +diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh +new file mode 100644 +index 0000000000..0349191dfb +--- /dev/null ++++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# remediation = bash ++ ++sed -i "/^tcp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig ++sed -i "/^udp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig + +From ab07272905bfb111c7c10dae630e04019d1135b2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 15 Mar 2018 17:24:50 +0100 +Subject: [PATCH 2/7] Add remediation for network_ipv6_disable_rpc + +This fix script was sourced from RHEL6 product. +--- + shared/fixes/bash/network_ipv6_disable_rpc.sh | 10 ++++++++++ + 1 file changed, 10 insertions(+) + create mode 100644 shared/fixes/bash/network_ipv6_disable_rpc.sh + +diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh +new file mode 100644 +index 0000000000..e4f738780d +--- /dev/null ++++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh +@@ -0,0 +1,10 @@ ++# platform = multi_platform_rhel ++ ++# Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC ++# services for NFSv4 from attempting to start IPv6 network listeners ++declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") ++ ++for rpc_entry in ${IPV6_RPC_ENTRIES[@]} ++do ++ sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig ++done + +From f9677408a17154278b65ec9d0b4271b8399aa12a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 15 Mar 2018 19:17:15 +0100 +Subject: [PATCH 3/7] Add tests for network_ipv6_privacy_extensions + +- default fail - remove IPV6_PRIVACY from any ifcfg file +- ipv6_privacy_enabled pass - add IPV6_PRIVACY to all ifcfg files +--- + .../rule_network_ipv6_privacy_extensions/default.fail.sh | 5 +++++ + .../ipv6_privacy_enabled.pass.sh | 8 ++++++++ + 2 files changed, 13 insertions(+) + create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh + create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh + +diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh +new file mode 100644 +index 0000000000..4f6cbaca7f +--- /dev/null ++++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++ ++sed -i "/^IPV6_PRIVACY=rfc3041$/d" /etc/sysconfig/network-scripts/ifcfg-* +diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh +new file mode 100644 +index 0000000000..90eb082745 +--- /dev/null ++++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++ ++for file in $(ls /etc/sysconfig/network-scripts/ifcfg-*) ++do ++ echo "IPV6_PRIVACY=rfc3041" >> $file ++done + +From cfccf1711de2ffa9b94019ee96ff63740967ee18 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 15 Mar 2018 19:18:53 +0100 +Subject: [PATCH 4/7] Add remediation for network_ipv6_privacy_extensions + +- adding only bash remediation +--- + shared/fixes/bash/network_ipv6_privacy_extensions.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + create mode 100644 shared/fixes/bash/network_ipv6_privacy_extensions.sh + +diff --git a/shared/fixes/bash/network_ipv6_privacy_extensions.sh b/shared/fixes/bash/network_ipv6_privacy_extensions.sh +new file mode 100644 +index 0000000000..b719fb471f +--- /dev/null ++++ b/shared/fixes/bash/network_ipv6_privacy_extensions.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_rhel ++ ++# enable randomness in ipv6 address generation ++for interface in $(ls /etc/sysconfig/network-scripts/ifcfg-*) ++do ++ echo "IPV6_PRIVACY=rfc3041" >> $interface ++done + +From c09b5a38d62c733260c1c29227ec3032ea26e9b1 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 20 Mar 2018 16:52:12 +0100 +Subject: [PATCH 5/7] Bash improvements for remdiation and tests + +--- + shared/fixes/bash/network_ipv6_disable_rpc.sh | 3 +-- + shared/fixes/bash/network_ipv6_privacy_extensions.sh | 2 +- + .../rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh +index e4f738780d..5246e14109 100644 +--- a/shared/fixes/bash/network_ipv6_disable_rpc.sh ++++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh +@@ -2,9 +2,8 @@ + + # Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC + # services for NFSv4 from attempting to start IPv6 network listeners +-declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") + +-for rpc_entry in ${IPV6_RPC_ENTRIES[@]} ++for rpc_entry in "tcp6" "udp6" + do + sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig + done +diff --git a/shared/fixes/bash/network_ipv6_privacy_extensions.sh b/shared/fixes/bash/network_ipv6_privacy_extensions.sh +index b719fb471f..134bb3f1f9 100644 +--- a/shared/fixes/bash/network_ipv6_privacy_extensions.sh ++++ b/shared/fixes/bash/network_ipv6_privacy_extensions.sh +@@ -1,7 +1,7 @@ + # platform = multi_platform_rhel + + # enable randomness in ipv6 address generation +-for interface in $(ls /etc/sysconfig/network-scripts/ifcfg-*) ++for interface in /etc/sysconfig/network-scripts/ifcfg-* + do + echo "IPV6_PRIVACY=rfc3041" >> $interface + done +diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh +index 90eb082745..0982f003c8 100644 +--- a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh ++++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh +@@ -2,7 +2,7 @@ + # + # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + +-for file in $(ls /etc/sysconfig/network-scripts/ifcfg-*) ++for interface in /etc/sysconfig/network-scripts/ifcfg-* + do +- echo "IPV6_PRIVACY=rfc3041" >> $file ++ echo "IPV6_PRIVACY=rfc3041" >> $interface + done + +From 77890cd398db61a30f6e20add1067f77f5c0c283 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 20 Mar 2018 16:58:03 +0100 +Subject: [PATCH 6/7] Remove escaped underscore + +No flavor of regular expression needs to escape underscores. +--- + shared/fixes/bash/network_ipv6_disable_rpc.sh | 2 +- + .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh +index 5246e14109..decd74e0cc 100644 +--- a/shared/fixes/bash/network_ipv6_disable_rpc.sh ++++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh +@@ -5,5 +5,5 @@ + + for rpc_entry in "tcp6" "udp6" + do +- sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig ++ sed -i "/^$rpc_entry[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig + done +diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh +index 0349191dfb..5ba5a77784 100644 +--- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh ++++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh +@@ -3,5 +3,5 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 + # remediation = bash + +-sed -i "/^tcp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig +-sed -i "/^udp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig ++sed -i "/^tcp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig ++sed -i "/^udp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig + +From 09eeaa1bff9c6203a5dbab18ccec89cc3458c22f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 20 Mar 2018 17:27:19 +0100 +Subject: [PATCH 7/7] Remove redundant profiles in tests for ipv6_disable_rpc + +--- + .../group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh | 2 +- + .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh +index ff0a92e368..f834e3f726 100644 +--- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh ++++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + # remediation = bash + + # default config has rpc enabled +diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh +index 5ba5a77784..c4bdf0a7c6 100644 +--- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh ++++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + # remediation = bash + + sed -i "/^tcp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig +From 5f3ceba27b33c3f8c39ff15d894bb9c58fb1b9fa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 16 Mar 2018 17:38:07 +0100 +Subject: [PATCH] Change id of rule that checks for IPV6 disabled + +The Rule is not following expected pattern. The sysctl in question is +net.ipv6.conf.all.disable_ipv6, so exptected Rule id is +syctl_net_ipv6_conf_all_disable_ipv6. + +This is causing template generated remediation to not be picked up by +build system. + +The used pattern would be for sysctl with name kernel_ipv6_disabled, witch +doesn't exist. +--- + rhel7/profiles/C2S.xml | 2 +- + rhel7/profiles/ospp-rhel7.xml | 2 +- + rhel7/profiles/rht-ccp.xml | 2 +- + shared/xccdf/system/network/ipv6.xml | 6 +++--- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/rhel7/profiles/C2S.xml b/rhel7/profiles/C2S.xml +index f1798271f9..39dcf9b192 100644 +--- a/rhel7/profiles/C2S.xml ++++ b/rhel7/profiles/C2S.xml +@@ -341,7 +341,7 @@ baseline. + ++ + +- + +