From db7bff613cb14543378661c1bf78582ada09d84a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 24 Mar 2020 09:31:41 +0100 Subject: [PATCH 1/4] Add rules to check owners of /etc/issue --- .../file_groupowner_etc_issue/rule.yml | 35 +++++++++++++++++++ .../file_owner_etc_issue/rule.yml | 35 +++++++++++++++++++ .../file_permissions_etc_issue/rule.yml | 2 ++ shared/references/cce-redhat-avail.txt | 4 --- 4 files changed, 72 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml new file mode 100644 index 0000000000..fe22c4ceda --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + +title: 'Verify group ownership of System Login Banner' + +description: |- + {{{ describe_file_group_owner(file="/etc/issue", group="root") }}} + +rationale: |- + Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification + verbiage used is consistent with applicable federal laws, Executive Orders, + directives, policies, regulations, standards, and guidance.
+ Proper group ownership will ensure that only root user can modify the banner. + +severity: medium + +identifiers: + cce@rhel7: 83707-0 + cce@rhel8: 83708-8 + +references: + cis@rhel7: 1.7.1.5 + cis@rhel8: 1.8.1.5 + +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/issue", group="root") }}}' + +ocil: '{{{ ocil_file_group_owner(file="/etc/issue", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: /etc/issue + filegid: '0' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml new file mode 100644 index 0000000000..1a96fc1bee --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + +title: 'Verify ownership of System Login Banner' + +description: |- + {{{ describe_file_owner(file="/etc/issue", owner="root") }}} + +rationale: |- + Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification + verbiage used is consistent with applicable federal laws, Executive Orders, + directives, policies, regulations, standards, and guidance.
+ Proper ownership will ensure that only root user can modify the banner. + +severity: medium + +identifiers: + cce@rhel7: 83717-9 + cce@rhel8: 83718-7 + +references: + cis@rhel7: 1.7.1.5 + cis@rhel8: 1.8.1.5 + +ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/issue", owner="root") }}}' + +ocil: '{{{ ocil_file_owner(file="/etc/issue", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: /etc/issue + fileuid: '0' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml index 323c3b93b6..6082783b89 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml @@ -1,5 +1,7 @@ documentation_complete: true +prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + title: 'Verify permissions on System Login Banner' description: |- diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 4a8668ed97..565be50dcf 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -394,8 +394,6 @@ CCE-83703-9 CCE-83704-7 CCE-83705-4 CCE-83706-2 -CCE-83707-0 -CCE-83708-8 CCE-83709-6 CCE-83710-4 CCE-83711-2 @@ -404,8 +402,6 @@ CCE-83713-8 CCE-83714-6 CCE-83715-3 CCE-83716-1 -CCE-83717-9 -CCE-83718-7 CCE-83719-5 CCE-83720-3 CCE-83721-1 From ac323a919cd97ee34d17d96ca20d10e8ad25ac43 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 24 Mar 2020 09:50:54 +0100 Subject: [PATCH 2/4] Add rules to check owners of /etc/motd --- .../file_groupowner_etc_motd/rule.yml | 35 +++++++++++++++++++ .../file_owner_etc_motd/rule.yml | 35 +++++++++++++++++++ .../file_permissions_etc_motd/rule.yml | 2 ++ shared/references/cce-redhat-avail.txt | 4 --- 4 files changed, 72 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml new file mode 100644 index 0000000000..21ff3fb62a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + +title: 'Verify group ownership of Message of the Day Banner' + +description: |- + {{{ describe_file_group_owner(file="/etc/motd", group="root") }}} + +rationale: |- + Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification + verbiage used is consistent with applicable federal laws, Executive Orders, + directives, policies, regulations, standards, and guidance.
+ Proper group ownerhip will ensure that only root user can modify the banner. + +severity: medium + +identifiers: + cce@rhel7: 83727-8 + cce@rhel8: 83728-6 + +references: + cis@rhel7: 1.7.1.4 + cis@rhel8: 1.8.1.4 + +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/motd", group="root") }}}' + +ocil: '{{{ ocil_file_group_owner(file="/etc/motd", group="root") }}}' + +template: + name: file_groupowner + vars: + filepath: /etc/motd + filegid: '0' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml new file mode 100644 index 0000000000..27fed965fb --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + +title: 'Verify ownership of Message of the Day Banner' + +description: |- + {{{ describe_file_owner(file="/etc/motd", owner="root") }}} + +rationale: |- + Display of a standardized and approved use notification before granting + access to the operating system ensures privacy and security notification + verbiage used is consistent with applicable federal laws, Executive Orders, + directives, policies, regulations, standards, and guidance.
+ Proper ownerhip will ensure that only root user can modify the banner. + +severity: medium + +identifiers: + cce@rhel7: 83737-7 + cce@rhel8: 83738-5 + +references: + cis@rhel7: 1.7.1.4 + cis@rhel8: 1.8.1.4 + +ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/motd", owner="root") }}}' + +ocil: '{{{ ocil_file_owner(file="/etc/motd", owner="root") }}}' + +template: + name: file_owner + vars: + filepath: /etc/motd + fileuid: '0' diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml index 6d81eb43d1..ca789dc6f8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml @@ -1,5 +1,7 @@ documentation_complete: true +prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + title: 'Verify permissions on Message of the Day Banner' description: |- diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 565be50dcf..5986154a5a 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -410,8 +410,6 @@ CCE-83723-7 CCE-83724-5 CCE-83725-2 CCE-83726-0 -CCE-83727-8 -CCE-83728-6 CCE-83729-4 CCE-83730-2 CCE-83731-0 @@ -420,8 +418,6 @@ CCE-83733-6 CCE-83734-4 CCE-83735-1 CCE-83736-9 -CCE-83737-7 -CCE-83738-5 CCE-83739-3 CCE-83740-1 CCE-83741-9 From 3f0c74420e052b6ea18cef45896a48f24cd3c5df Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Tue, 24 Mar 2020 13:32:34 +0100 Subject: [PATCH 3/4] Update linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Jan Černý --- .../accounts/accounts-banners/file_groupowner_etc_motd/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml index 21ff3fb62a..9cebc074dd 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml @@ -12,7 +12,7 @@ rationale: |- access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
- Proper group ownerhip will ensure that only root user can modify the banner. + Proper group ownership will ensure that only root user can modify the banner. severity: medium From 3138bbcee2a997eb0c8f74eabdcac9f71944e191 Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Tue, 24 Mar 2020 13:33:40 +0100 Subject: [PATCH 4/4] Fix typo in title of rule MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Jan Černý --- .../accounts-banners/file_groupowner_etc_issue/rule.yml | 2 +- .../accounts/accounts-banners/file_groupowner_etc_motd/rule.yml | 2 +- .../accounts/accounts-banners/file_owner_etc_motd/rule.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml index fe22c4ceda..6ff4e0a95a 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 -title: 'Verify group ownership of System Login Banner' +title: 'Verify Group Ownership of System Login Banner' description: |- {{{ describe_file_group_owner(file="/etc/issue", group="root") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml index 9cebc074dd..8c66e997ac 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 -title: 'Verify group ownership of Message of the Day Banner' +title: 'Verify Group Ownership of Message of the Day Banner' description: |- {{{ describe_file_group_owner(file="/etc/motd", group="root") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml index 27fed965fb..8d963ae75d 100644 --- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml @@ -12,7 +12,7 @@ rationale: |- access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
- Proper ownerhip will ensure that only root user can modify the banner. + Proper ownership will ensure that only root user can modify the banner. severity: medium