From bb5c2983be3b11c3cd1070cf1d3daca27cb700ee Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 19 Aug 2021 08:02:55 -0500
Subject: [PATCH] Add a new rules RHEL-08-010001 and RHEL-07-020019

---
 .../agent_mfetpd_running/oval/shared.xml      | 16 ++++++
 .../agent_mfetpd_running/rule.yml             | 39 ++++++++++++++
 .../group.yml                                 |  7 +++
 .../package_mcafeetp_installed/rule.yml       | 51 +++++++++++++++++++
 products/rhel7/profiles/stig.profile          |  2 +
 products/rhel8/profiles/stig.profile          |  4 ++
 shared/references/cce-redhat-avail.txt        |  4 --
 .../data/profile_stability/rhel8/stig.profile |  2 +
 .../profile_stability/rhel8/stig_gui.profile  |  2 +
 9 files changed, 123 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
 create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
 create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
 create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml

diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
new file mode 100644
index 00000000000..9900d8bd724
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
@@ -0,0 +1,16 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("Ensure that McAfee Endpoint Security for Linux (ENSL) is running.") }}}
+        <criteria>
+            <criterion comment="McAfee ENSL is running" test_ref="test_{{{ rule_id }}}"/>
+        </criteria>
+    </definition>
+    <unix:process58_test check="all" id="test_{{{ rule_id }}}" comment="is mfetpd running" version="1">
+        <unix:object object_ref="obj_{{{ rule_id }}}"/>
+    </unix:process58_test>
+
+    <unix:process58_object id="obj_{{{ rule_id }}}" version="1">
+        <unix:command_line operation="pattern match">^mfetpd.*$</unix:command_line>
+        <unix:pid datatype="int" operation="greater than">0</unix:pid>
+    </unix:process58_object>
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
new file mode 100644
index 00000000000..32c934467da
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8
+
+title: 'Ensure McAfee Endpoint Security for Linux (ENSL) is running'
+
+description: |-
+    Install McAfee Endpoint Security for Linux antivirus software
+    which is provided for DoD systems and uses signatures to search for the
+    presence of viruses on the filesystem.
+
+rationale: |-
+    Virus scanning software can be used to detect if a system has been compromised by
+    computer viruses, as well as to limit their spread to other systems.
+
+severity: high
+
+identifiers:
+    cce@rhel7: CCE-86262-3
+    cce@rhel8: CCE-86261-5
+
+references:
+    disa: CCI-001233
+    nist: SI-2(2)
+    srg: SRG-OS-000191-GPOS-00080
+    stigid@rhel7: RHEL-07-020019
+    stigid@rhel8: RHEL-08-010001
+
+ocil_clause: 'virus scanning software is not running'
+
+ocil: |-
+    To verify that McAfee Endpoint Security for Linux is
+    running, run the following command:
+    <pre>$ sudo ps -ef | grep -i mfetpd</pre>
+
+warnings:
+    - general: |-
+        Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
+        automated remediation is not available for this configuration check.
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
new file mode 100644
index 00000000000..f2e4e89851a
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
@@ -0,0 +1,7 @@
+documentation_complete: true
+
+title: 'McAfee Endpoint Security for Linux (ENSL)'
+
+description: |-
+    McAfee Endpoint Security for Linux (ENSL) is a suite of software applications
+    used to monitor, detect, and defend computer networks and systems.
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
new file mode 100644
index 00000000000..16587792eff
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
@@ -0,0 +1,51 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8
+
+title: 'Install McAfee Endpoint Security for Linux (ENSL)'
+
+description: |-
+    Install McAfee Endpoint Security for Linux antivirus software
+    which is provided for DoD systems and uses signatures to search for the
+    presence of viruses on the filesystem.
+
+    {{{ describe_package_install(package="mcafeetp") }}}
+
+rationale: |-
+    Virus scanning software can be used to detect if a system has been compromised by
+    computer viruses, as well as to limit their spread to other systems.
+
+severity: high
+
+identifiers:
+    cce@rhel7: CCE-86257-3
+    cce@rhel8: CCE-86260-7
+
+references:
+    disa: CCI-001233
+    nist: SI-2(2)
+    srg: SRG-OS-000191-GPOS-00080
+    stigid@rhel7: RHEL-07-020019
+    stigid@rhel8: RHEL-08-010001
+
+ocil_clause: 'the package is not installed'
+
+ocil: '{{{ ocil_package(package="mcafeetp") }}}'
+
+warnings:
+    - general: |-
+        Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
+        automated remediation is not available for this configuration check.
+
+platform: machine
+
+template:
+    name: package_installed
+    vars:
+        pkgname: mcafeetp
+    backends:
+        bash: "off"
+        ansible: "off"
+        anaconda: "off"
+        puppet: "off"
+        blueprint: "off"
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
index f5761c891f2..9ca13600057 100644
--- a/products/rhel7/profiles/stig.profile
+++ b/products/rhel7/profiles/stig.profile
@@ -316,3 +316,5 @@ selections:
     - file_permissions_var_log_audit
     - sysctl_net_ipv4_conf_all_rp_filter
     - sysctl_net_ipv4_conf_default_rp_filter
+    - package_mcafeetp_installed
+    - agent_mfetpd_running
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9dc9360e899..36f384621ae 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -84,6 +84,10 @@ selections:
     # RHEL-08-010000
     - installed_OS_is_vendor_supported
 
+    # RHEL-08-010001
+    - package_mcafeetp_installed
+    - agent_mfetpd_running
+
     # RHEL-08-010010
     - security_patches_up_to_date
 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 3b24e19da06..08013e6de22 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -372,12 +372,8 @@ CCE-86253-2
 CCE-86254-0
 CCE-86255-7
 CCE-86256-5
-CCE-86257-3
 CCE-86258-1
 CCE-86259-9
-CCE-86260-7
-CCE-86261-5
-CCE-86262-3
 CCE-86263-1
 CCE-86264-9
 CCE-86265-6
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index e9ba0f0adbf..f3e6c4fa1a1 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -65,6 +65,7 @@ selections:
 - accounts_user_interactive_home_directory_defined
 - accounts_user_interactive_home_directory_exists
 - aide_check_audit_tools
+- agent_mfetpd_running
 - aide_scan_notification
 - aide_verify_acls
 - aide_verify_ext_attributes
@@ -280,6 +281,7 @@ selections:
 - package_gssproxy_removed
 - package_iprutils_removed
 - package_krb5-workstation_removed
+- package_mcafeetp_installed
 - package_opensc_installed
 - package_openssh-server_installed
 - package_policycoreutils_installed
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index c8540f9392e..b5b60349a83 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -76,6 +76,7 @@ selections:
 - accounts_user_interactive_home_directory_defined
 - accounts_user_interactive_home_directory_exists
 - aide_check_audit_tools
+- agent_mfetpd_running
 - aide_scan_notification
 - aide_verify_acls
 - aide_verify_ext_attributes
@@ -291,6 +292,7 @@ selections:
 - package_gssproxy_removed
 - package_iprutils_removed
 - package_krb5-workstation_removed
+- package_mcafeetp_installed
 - package_opensc_installed
 - package_openssh-server_installed
 - package_policycoreutils_installed