diff --git a/SOURCES/add_not_s390x_cpe_dictionary.diff b/SOURCES/add_not_s390x_cpe_dictionary.diff new file mode 100644 index 0000000..e3703c4 --- /dev/null +++ b/SOURCES/add_not_s390x_cpe_dictionary.diff @@ -0,0 +1,42 @@ +diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml +index 50f8006c9..2a3915364 100644 +--- a/rhel7/cpe/rhel7-cpe-dictionary.xml ++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml +@@ -87,6 +87,10 @@ + + installed_env_has_login_defs + ++ ++ System architecture is not S390X ++ proc_sys_kernel_osrelease_arch_not_s390x ++ + + Package sssd-common is installed + +diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml +index 3b9b4fc03..ce675614e 100644 +--- a/rhel8/cpe/rhel8-cpe-dictionary.xml ++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml +@@ -57,6 +57,10 @@ + + installed_env_has_login_defs + ++ ++ System architecture is not S390X ++ proc_sys_kernel_osrelease_arch_not_s390x ++ + + Package sssd-common is installed + +diff --git a/ssg/constants.py b/ssg/constants.py +index 6ba70982a..3054c3e55 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -451,6 +451,7 @@ XCCDF_PLATFORM_TO_CPE = { + "yum": "cpe:/a:yum", + "zipl": "cpe:/a:zipl", + "net-snmp": "cpe:/a:net-snmp", ++ "not_s390x_arch": "cpe:/a:not_s390x_arch", + } + + # Default platform to package mapping diff --git a/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_pam_whell-PR_6256.patch b/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_pam_whell-PR_6256.patch new file mode 100644 index 0000000..2144ac3 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_pam_whell-PR_6256.patch @@ -0,0 +1,322 @@ +From f1011e329d01e857a20d8f75285ad22c38ff4033 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 15 Oct 2020 09:03:33 +0200 +Subject: [PATCH 1/7] add rule + +--- + .../use_pam_wheel_for_su/ansible/shared.yml | 12 +++++++ + .../use_pam_wheel_for_su/bash/shared.sh | 8 +++++ + .../use_pam_wheel_for_su/oval/shared.xml | 19 +++++++++++ + .../root_logins/use_pam_wheel_for_su/rule.yml | 32 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 1 - + 5 files changed, 71 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml +new file mode 100644 +index 0000000000..d66d66200d +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "restrict usage of su command only to members of wheel group" ++ lineinfile: ++ path: "/etc/pam.d/su" ++ line: "auth required pam_wheel.so use_uid" ++ regexp: '^[\s]*[#]*[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$' ++ state: present +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +new file mode 100644 +index 0000000000..0aec7b4361 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++ ++if ! grep -q pam_wheel /etc/pam.d/su; then ++ sed '/^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so use_uid$/s/^#//' -i /etc/pam.d/su ++else ++ echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su ++fi +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml +new file mode 100644 +index 0000000000..f84e04fa32 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml +@@ -0,0 +1,19 @@ ++ ++ ++ {{{ oval_metadata("Only members of the wheel group should be able to authenticate through the su command.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/su ++ ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +new file mode 100644 +index 0000000000..260cbd3344 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 ++ ++title: 'Enforce usage of pam_wheel for su authentication' ++ ++description: |- ++ To ensure that only users who are members of the wheel group can ++ run commands with altered privileges through the su command, make ++ sure that the following line exists in the file /etc/pam.d/su: ++ 
auth             required        pam_wheel.so use_uid
++ ++rationale: |- ++ The su program allows to run commands with a substitute user and ++ group ID. It is commonly used to run commands as the root user. Limiting ++ access to such command is considered a good security practice. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-83318-6 ++ ++references: ++ ospp: FMT_SMF_EXT.1.1 ++ ++ocil_clause: 'the line is not in the file or it is commented' ++ ++ocil: |- ++ Run the following command to check if the line is present: ++ 
grep pam_wheel /etc/pam.d/su
++ The output should contain the following line: ++ 
auth             required        pam_wheel.so use_uid
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 21b42b5eee..a76d3cb609 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -2,7 +2,6 @@ CCE-83314-5 + CCE-83315-2 + CCE-83316-0 + CCE-83317-8 +-CCE-83318-6 + CCE-83319-4 + CCE-83320-2 + CCE-83322-8 + +From da5fc11a838214aff87425470b909107148f25d5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 15 Oct 2020 09:03:48 +0200 +Subject: [PATCH 2/7] add tests + +--- + .../root_logins/use_pam_wheel_for_su/tests/correct.pass.sh | 7 +++++++ + .../use_pam_wheel_for_su/tests/line_commented.fail.sh | 7 +++++++ + .../use_pam_wheel_for_su/tests/line_not_there.fail.sh | 4 ++++ + 3 files changed, 18 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh +new file mode 100644 +index 0000000000..233b3b11b4 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++#clean possible commented lines ++sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su ++ ++#apply correct line ++echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh +new file mode 100644 +index 0000000000..aa7757d2e1 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++#clean possible commented lines ++sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su ++ ++#apply commented line ++echo "#auth required pam_wheel.so use_uid" >> /etc/pam.d/su +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh +new file mode 100644 +index 0000000000..be95c2eda9 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++#clean possible lines ++sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su + +From a4403371faeaf155a53f3e1720ecc087d7c38eb2 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 15 Oct 2020 09:04:18 +0200 +Subject: [PATCH 3/7] add rule into rhel8 ospp + +--- + rhel8/profiles/ospp.profile | 1 + + tests/data/profile_stability/rhel8/ospp.profile | 1 + + tests/data/profile_stability/rhel8/stig.profile | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index d5133cc58b..cbe9cc6485 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -222,6 +222,7 @@ selections: + - securetty_root_login_console_only + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember ++ - use_pam_wheel_for_su + + ### SELinux Configuration + - var_selinux_state=enforcing +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 9dcca1ea5e..2660e815e9 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -219,6 +219,7 @@ selections: + - sysctl_user_max_user_namespaces + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub ++- use_pam_wheel_for_su + - zipl_audit_argument + - zipl_audit_backlog_limit_argument + - zipl_bls_entries_only +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 66c5e7d743..ad8205dcfc 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -241,6 +241,7 @@ selections: + - sysctl_user_max_user_namespaces + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub ++- use_pam_wheel_for_su + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + +From e6e3fbec1fe141ffc48c96ac6121aa11ba94ec64 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 23 Oct 2020 16:32:04 +0200 +Subject: [PATCH 4/7] fix remediation + +--- + .../root_logins/use_pam_wheel_for_su/bash/shared.sh | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +index 0aec7b4361..8e2e92f6ce 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +@@ -1,8 +1,9 @@ + #!/bin/bash + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + +-if ! grep -q pam_wheel /etc/pam.d/su; then +- sed '/^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so use_uid$/s/^#//' -i /etc/pam.d/su +-else ++# uncomment the option if commented ++ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^#//' -i /etc/pam.d/su ++ ++if ! grep -q '^[\s]*auth[\s]+required[\s]+pam_wheel\.so\[s]+use_uid$' /etc/pam.d/su; then + echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su + fi + +From 0339398e8c0e7e29b0bb656787fe38bfbeae2b81 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 30 Oct 2020 15:41:40 +0100 +Subject: [PATCH 5/7] update bash remediation + +do not remediate if commented version does not exist +--- + .../root_logins/use_pam_wheel_for_su/bash/shared.sh | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +index 8e2e92f6ce..d001e73362 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +@@ -2,8 +2,4 @@ + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + + # uncomment the option if commented +- sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^#//' -i /etc/pam.d/su +- +-if ! grep -q '^[\s]*auth[\s]+required[\s]+pam_wheel\.so\[s]+use_uid$' /etc/pam.d/su; then +- echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su +-fi ++ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su + +From a0c255e8bc6755c301900d7f19a58952695ff919 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 30 Oct 2020 15:42:11 +0100 +Subject: [PATCH 6/7] update ansible remediation + +do not remediate when commented version does not exist +--- + .../root_logins/use_pam_wheel_for_su/ansible/shared.yml | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml +index d66d66200d..7194be9c61 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml +@@ -5,8 +5,7 @@ + # disruption = low + + - name: "restrict usage of su command only to members of wheel group" +- lineinfile: ++ replace: + path: "/etc/pam.d/su" +- line: "auth required pam_wheel.so use_uid" +- regexp: '^[\s]*[#]*[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$' +- state: present ++ regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$' ++ replace: "auth required pam_wheel.so use_uid" + +From b170fc7c0f6d85a49f44809037a425a0f0e76fa1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 30 Oct 2020 15:42:34 +0100 +Subject: [PATCH 7/7] update tests + +--- + .../use_pam_wheel_for_su/tests/line_not_there.fail.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh +index be95c2eda9..d08437501b 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# remediation = none + + #clean possible lines + sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su diff --git a/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_ssh_client_strong_entropy-PR_6404.diff b/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_ssh_client_strong_entropy-PR_6404.diff new file mode 100644 index 0000000..7147dc2 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-add_rhel8_ospp_ssh_client_strong_entropy-PR_6404.diff @@ -0,0 +1,419 @@ +diff --git a/linux_os/guide/services/ssh/ssh_client/group.yml b/linux_os/guide/services/ssh/ssh_client/group.yml +new file mode 100644 +index 0000000000..62ead28ee1 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/group.yml +@@ -0,0 +1,11 @@ ++documentation_complete: true ++ ++title: 'Configure OpenSSH Client if Necessary' ++ ++description: |- ++ The following configuration changes apply to the SSH client. They can ++ improve security parameters relwevant to the client user, e.g. increasing ++ entropy while generating initialization vectors. Note that these changes ++ influence only the default SSH client configuration. Changes in this group ++ can be overridden by the client user by modifying files within the ++ 
~/.ssh
directory or by supplying parameters on the command line. +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml +new file mode 100644 +index 0000000000..a9f579ae04 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml +@@ -0,0 +1,19 @@ ++# platform = Red Hat Enterprise Linux 8 ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++- name: "Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh" ++ lineinfile: ++ path: /etc/profile.d/cc-ssh-strong-rng.csh ++ regexp: '^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$' ++ line: 'setenv SSH_USE_STRONG_RNG 32' ++ state: present ++ create: yes ++ ++- name: "Ensure that the configuration is not overridden in /etc/profile" ++ lineinfile: ++ path: /etc/profile ++ regexp: '^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$' ++ state: absent +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh +new file mode 100644 +index 0000000000..a3b0b3a9c6 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++ ++# put line into the file ++echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh ++ ++# remove eventual override in /etc/profile ++sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml +new file mode 100644 +index 0000000000..fe6d3a5f25 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml +@@ -0,0 +1,36 @@ ++ ++ ++ {{{ oval_metadata("Ensure the SSH_USE_STRONG_RNG environment variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh and is not overridden in /etc/profile") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/profile.d/cc-ssh-strong-rng.csh ++ ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG[\s]+([\d]+)$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /etc/profile ++ ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$ ++ 1 ++ ++ ++ ++ 32 ++ ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml +new file mode 100644 +index 0000000000..a2b9bfa37d +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'SSH client uses strong entropy to seed (for CSH like shells)' ++ ++description: |- ++ To set up SSH client to use entropy from a high-quality source, make sure ++ that the appropriate shell environment variable is configured. The ++ SSH_USE_STRONG_RNG environment variable determines how many bytes ++ of entropy to use. Make sure that the file ++ /etc/profile.d/cc-ssh-strong-rng.csh contains line ++ 
setenv SSH_USE_STRONG_RNG 32
. ++ ++rationale: |- ++ Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. ++ Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors ++ in encryption algorithms, and high-quality entropy eliminates the possibility that the output of ++ the random number generator used by SSH would be known to potential attackers. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-83349-1 ++ ++references: ++ ospp: FCS_CKM.1.1 ++ srg: SRG-OS-000480-GPOS-00227 ++ ++ocil_clause: 'SSH client is not configured to use 32 bytes of entropy or more' ++ ++ocil: |- ++ Run the following command to verify that SSH client is configured to use 32 bytes of entropy: ++ 
grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh
++ It should return the following output: ++ 
setenv SSH_USE_STRONG_RNG 32
. +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh +new file mode 100644 +index 0000000000..4cfafa9f96 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh +new file mode 100644 +index 0000000000..c2fead5697 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++rm -f /etc/profile.d/cc-ssh-strong-rng.csh +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh +new file mode 100644 +index 0000000000..4a0d26165b +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "#setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh +new file mode 100644 +index 0000000000..5fbccb5f29 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh ++echo "setenv SSH_USE_STRONG_RNG 8" >> /etc/profile.d/cc-ssh-strong-rng.csh +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh +new file mode 100644 +index 0000000000..d93d1151f8 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++echo "setenv SSH_USE_STRONG_RNG 32" >> /etc/profile.d/cc-ssh-strong-rng.csh ++echo "setenv SSH_USE_STRONG_RNG 8" >> /etc/profile +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh +new file mode 100644 +index 0000000000..d73f22ce5d +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "setenv SSH_USE_STRONG_RNG 64" > /etc/profile.d/cc-ssh-strong-rng.csh +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml +new file mode 100644 +index 0000000000..d19ee819c0 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml +@@ -0,0 +1,19 @@ ++# platform = Red Hat Enterprise Linux 8 ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++- name: "Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh" ++ lineinfile: ++ path: /etc/profile.d/cc-ssh-strong-rng.sh ++ regexp: '^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$' ++ line: 'export SSH_USE_STRONG_RNG=32' ++ state: present ++ create: yes ++ ++- name: "Ensure that the configuration is not overridden in /etc/profile" ++ lineinfile: ++ path: /etc/profile ++ regexp: '^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$' ++ state: absent +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh +new file mode 100644 +index 0000000000..07e45f1dfa +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++ ++# put line into the file ++echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh ++ ++# remove eventual override in /etc/profile ++sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml +new file mode 100644 +index 0000000000..23bda9bf83 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml +@@ -0,0 +1,36 @@ ++ ++ ++ {{{ oval_metadata("Ensure the SSH_USE_STRONG_RNG environment variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh and is not overridden in /etc/profile") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/profile.d/cc-ssh-strong-rng.sh ++ ^[\s]*export[\s]+SSH_USE_STRONG_RNG=([\d]+)$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /etc/profile ++ ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$ ++ 1 ++ ++ ++ ++ 32 ++ ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml +new file mode 100644 +index 0000000000..3de4df0a2e +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'SSH client uses strong entropy to seed (Bash-like shells)' ++ ++description: |- ++ To set up SSH client to use entropy from a high-quality source, make sure ++ that the appropriate shell environment variable is configured. The ++ SSH_USE_STRONG_RNG environment variable determines how many bytes ++ of entropy to use. Make sure that the file ++ /etc/profile.d/cc-ssh-strong-rng.sh contains line ++ 
export SSH_USE_STRONG_RNG=32
. ++ ++rationale: |- ++ Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. ++ Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors ++ in encryption algorithms, and high-quality entropy eliminates the possibility that the output of ++ the random number generator used by SSH would be known to potential attackers. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-83346-7 ++ ++references: ++ ospp: FCS_CKM.1.1 ++ srg: SRG-OS-000480-GPOS-00227 ++ ++ocil_clause: 'SSH client is not configured to use 32 bytes of entropy or more' ++ ++ocil: |- ++ Run the following command to verify that SSH client is configured to use 32 bytes of entropy: ++ 
grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.sh
++ The output should be: ++ 
export SSH_USE_STRONG_RNG=32
+diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh +new file mode 100644 +index 0000000000..8dc01bb3b5 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh +new file mode 100644 +index 0000000000..feab751995 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++rm -f /etc/profile.d/cc-ssh-strong-rng.sh +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh +new file mode 100644 +index 0000000000..f77cfabfe4 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "#export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh +new file mode 100644 +index 0000000000..acbe72da2c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh ++echo "export SSH_USE_STRONG_RNG=8" >> /etc/profile.d/cc-ssh-strong-rng.sh +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh +new file mode 100644 +index 0000000000..38ce27729d +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh ++echo "export SSH_USE_STRONG_RNG=8" >> /etc/profile +diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh +new file mode 100644 +index 0000000000..2b3b0fbeca +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "export SSH_USE_STRONG_RNG=64" > /etc/profile.d/cc-ssh-strong-rng.sh +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 687b948b34..755573a6f9 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -427,6 +427,10 @@ selections: + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + ++# configure ssh client to use strong entropy ++ - ssh_client_use_strong_rng_sh ++ - ssh_client_use_strong_rng_csh ++ + # zIPl specific rules + - zipl_bls_entries_only + - zipl_bootmap_is_up_to_date +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 8bbc01f0d5..4bfb91de9d 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -175,6 +175,8 @@ selections: + - service_systemd-coredump_disabled + - service_usbguard_enabled + - ssh_client_rekey_limit ++- ssh_client_use_strong_rng_csh ++- ssh_client_use_strong_rng_sh + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index e1915d648b..adace8fd54 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -199,6 +199,8 @@ selections: + - service_usbguard_enabled + - smartcard_configure_cert_checking + - ssh_client_rekey_limit ++- ssh_client_use_strong_rng_csh ++- ssh_client_use_strong_rng_sh + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth diff --git a/SOURCES/scap-security-guide-0.1.54-fix-oval-kernel-trust-cpu-rng-PR_6444.patch b/SOURCES/scap-security-guide-0.1.54-fix-oval-kernel-trust-cpu-rng-PR_6444.patch new file mode 100644 index 0000000..f8ae788 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-fix-oval-kernel-trust-cpu-rng-PR_6444.patch @@ -0,0 +1,34 @@ +From 0df80531afcfe73d0025dac31f259bdf38c37cc0 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 1 Dec 2020 13:48:37 +0100 +Subject: [PATCH] fix wrong rule name in oval and change platform to machine + +--- + .../bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml | 2 +- + .../system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml +index a3e9b616a3..8d7197faed 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml +@@ -1,5 +1,5 @@ + +- ++ + {{{ oval_metadata("Ensure the kernel is configured to trust the CPU hardware random number generator.") }}} + + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +index 3df57621a3..89ffe074e0 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +@@ -49,7 +49,7 @@ ocil: |- + If the command does not return any output, then the boot parameter is + missing. + +-platform: grub2 ++platform: machine + + template: + name: grub2_bootloader_argument diff --git a/SOURCES/scap-security-guide-0.1.54-kernel_trust_rng_make_grub-PR_6415.diff b/SOURCES/scap-security-guide-0.1.54-kernel_trust_rng_make_grub-PR_6415.diff new file mode 100644 index 0000000..18f1503 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-kernel_trust_rng_make_grub-PR_6415.diff @@ -0,0 +1,123 @@ +diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml +similarity index 100% +rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/oval/shared.xml +rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml +diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +similarity index 99% +rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml +rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +index 89ffe074e0..3df57621a3 100644 +--- a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +@@ -49,7 +49,7 @@ ocil: |- + If the command does not return any output, then the boot parameter is + missing. + +-platform: machine ++platform: grub2 + + template: + name: grub2_bootloader_argument +diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/boot_parameter.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/boot_parameter.pass.sh +similarity index 100% +rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/boot_parameter.pass.sh +rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/boot_parameter.pass.sh +diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled.pass.sh +similarity index 100% +rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled.pass.sh +rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled.pass.sh +diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh +similarity index 100% +rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh +rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh +diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/missing.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/missing.fail.sh +similarity index 100% +rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/missing.fail.sh +rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/missing.fail.sh +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 5944383e39..687b948b34 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -134,7 +134,7 @@ selections: + - grub2_vsyscall_argument.role=unscored + - grub2_vsyscall_argument.severity=info + - grub2_pti_argument +- - kernel_trust_cpu_rng ++ - grub2_kernel_trust_cpu_rng + + ## Security Settings + - sysctl_kernel_kptr_restrict +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index a11664fe28..8bbc01f0d5 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -84,6 +84,7 @@ selections: + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - grub2_disable_interactive_boot ++- grub2_kernel_trust_cpu_rng + - grub2_page_poison_argument + - grub2_pti_argument + - grub2_slub_debug_argument +@@ -97,7 +98,6 @@ selections: + - kernel_module_firewire-core_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled +-- kernel_trust_cpu_rng + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 5add9d462f..e1915d648b 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -29,6 +29,8 @@ selections: + - accounts_password_minlen_login_defs + - accounts_password_pam_dcredit + - accounts_password_pam_difok ++- accounts_password_pam_enforce_local ++- accounts_password_pam_enforce_root + - accounts_password_pam_lcredit + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat +@@ -39,6 +41,7 @@ selections: + - accounts_password_set_max_life_existing + - accounts_password_set_min_life_existing + - accounts_passwords_pam_faillock_deny ++- accounts_passwords_pam_faillock_enforce_local + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - accounts_umask_etc_bashrc +@@ -103,6 +106,7 @@ selections: + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - grub2_disable_interactive_boot ++- grub2_kernel_trust_cpu_rng + - grub2_page_poison_argument + - grub2_pti_argument + - grub2_slub_debug_argument +@@ -116,7 +120,6 @@ selections: + - kernel_module_firewire-core_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled +-- kernel_trust_cpu_rng + - mount_option_boot_nodev + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev +@@ -195,6 +198,7 @@ selections: + - service_systemd-coredump_disabled + - service_usbguard_enabled + - smartcard_configure_cert_checking ++- ssh_client_rekey_limit + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth +@@ -272,8 +276,4 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info +-- ssh_client_rekey_limit +-- accounts_passwords_pam_faillock_enforce_local +-- accounts_password_pam_enforce_local +-- accounts_password_pam_enforce_root + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' diff --git a/SOURCES/scap-security-guide-0.1.54-make_usbguard_not_applicable_s390x-PR_6442.patch b/SOURCES/scap-security-guide-0.1.54-make_usbguard_not_applicable_s390x-PR_6442.patch new file mode 100644 index 0000000..46fbb23 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-make_usbguard_not_applicable_s390x-PR_6442.patch @@ -0,0 +1,18 @@ +From 22bca4fc47160181133a9c85ab360b6acb8d768d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 1 Dec 2020 09:32:58 +0100 +Subject: [PATCH 4/4] add new platform to usbguard group + +--- + linux_os/guide/services/usbguard/group.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/services/usbguard/group.yml b/linux_os/guide/services/usbguard/group.yml +index 1669bb7a6d..d386dd5f4f 100644 +--- a/linux_os/guide/services/usbguard/group.yml ++++ b/linux_os/guide/services/usbguard/group.yml +@@ -5,3 +5,4 @@ title: 'USBGuard daemon' + description: |- + The USBGuard daemon enforces the USB device authorization policy for all USB devices. + ++platform: not_s390x_arch diff --git a/SOURCES/scap-security-guide-0.1.54-pwquality_update-PR_6370.patch b/SOURCES/scap-security-guide-0.1.54-pwquality_update-PR_6370.patch new file mode 100644 index 0000000..de5db5b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-pwquality_update-PR_6370.patch @@ -0,0 +1,429 @@ +From d2666b534c38bfc3bbd7308c4db4ef887cae6e0b Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Wed, 11 Nov 2020 15:14:51 -0700 +Subject: [PATCH] Add new pwquality.conf and faillock.conf rules + +- Add rule for enforcing password complexity for root +- Add rules for enforcing pwquality and faillock for local users only +- Enable SSH client for STIG +- Part of #4978 +- Fixes #2706 +- Fixes #2174 +--- + .../ansible/shared.yml | 12 ++++++ + .../bash/shared.sh | 9 ++++ + .../oval/shared.xml | 21 ++++++++++ + .../rule.yml | 42 +++++++++++++++++++ + .../ansible/shared.yml | 12 ++++++ + .../bash/shared.sh | 9 ++++ + .../oval/shared.xml | 21 ++++++++++ + .../rule.yml | 42 +++++++++++++++++++ + .../ansible/shared.yml | 12 ++++++ + .../bash/shared.sh | 9 ++++ + .../oval/shared.xml | 21 ++++++++++ + .../rule.yml | 39 +++++++++++++++++ + rhel8/profiles/stig.profile | 4 +- + .../oval/accounts_password_pam_faillock.xml | 26 ++++++++++++ + .../data/profile_stability/rhel8/stig.profile | 4 ++ + 16 files changed, 282 insertions(+), 4 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml + create mode 100644 shared/checks/oval/accounts_password_pam_faillock.xml + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml +new file mode 100644 +index 0000000000..6ead01fab5 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Ensure failed password attempts lockout only for local users ++ lineinfile: ++ create: yes ++ dest: "/etc/security/faillock.conf" ++ regexp: '^#?\s*local_users_only' ++ line: "local_users_only" +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh +new file mode 100644 +index 0000000000..8c43a8bb82 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++if ! grep -q "^local_users_only" /etc/security/faillock.conf; then ++ sed "s/# local_users_only/local_users_only/g" -i /etc/security/faillock.conf ++fi +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml +new file mode 100644 +index 0000000000..8e8ce134b0 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/oval/shared.xml +@@ -0,0 +1,21 @@ ++ ++ ++ {{{ oval_metadata("Failed password attempts are enforced for local users only.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/security/faillock.conf ++ ^[\s]*local_users_only[\s]*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml +new file mode 100644 +index 0000000000..a189ac68ec +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml +@@ -0,0 +1,42 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Enforce pam_faillock for Local Accounts Only' ++ ++description: |- ++ The pam_faillock module's local_users_only parameter controls requirements for ++ enforcing failed lockout attempts only for local user accounts and ignoring ++ centralized user account management failed attempt configurations. Enable the local_users_only ++ setting in /etc/security/faillock.conf to require failed password attempts ++ for only local user accounts. ++ ++rationale: |- ++ The operating system must provide automated mechanisms for supporting account management ++ functions. Enterprise environments make application account management challenging and ++ complex. A manual process for account management functions adds the risk of a potential ++ oversight or other error. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-83401-0 ++ ++references: ++ disa: CCI-000015 ++ nist: AC-2(1) ++ srg: SRG-OS-000001-GPOS-00001 ++ ++ocil_clause: 'local_users_only is not uncommented or configured correctly' ++ ++ocil: |- ++ To check if root user is required to use complex passwords, run the following command: ++ 
$ grep local_users_only /etc/security/faillock.conf
++ The output should return local_users_only uncommented. ++ ++platform: pam ++ ++warnings: ++ - management: |- ++ Using this rule bypasses pam_faillock's functionality and should be used in cases ++ where centralized management such as LDAP or Active Directory is in use. +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml +new file mode 100644 +index 0000000000..cebb406ad7 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Ensure password complexity only for local users ++ lineinfile: ++ create: yes ++ dest: "/etc/security/pwquality.conf" ++ regexp: '^#?\s*local_users_only' ++ line: "local_users_only" +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh +new file mode 100644 +index 0000000000..4049539796 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++if ! grep -q "^local_users_only" /etc/security/pwquality.conf; then ++ sed "s/# local_users_only/local_users_only/g" -i /etc/security/pwquality.conf ++fi +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml +new file mode 100644 +index 0000000000..794344e635 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/oval/shared.xml +@@ -0,0 +1,21 @@ ++ ++ ++ {{{ oval_metadata("The password complexity requirements are enforced for local users only.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/security/pwquality.conf ++ ^[\s]*local_users_only[\s]*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml +new file mode 100644 +index 0000000000..37f89b75b5 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_local/rule.yml +@@ -0,0 +1,42 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only' ++ ++description: |- ++ The pam_pwquality module's local_users_only parameter controls requirements for ++ enforcing password complexity by pam_pwquality only for local user accounts and ignoring ++ centralized user account management password complexity configurations. Enable the local_users_only ++ setting in /etc/security/pwquality.conf to require password complexity enforcement ++ for only local user accounts. ++ ++rationale: |- ++ The operating system must provide automated mechanisms for supporting account management ++ functions. Enterprise environments make application account management challenging and ++ complex. A manual process for account management functions adds the risk of a potential ++ oversight or other error. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-83364-0 ++ ++references: ++ disa: CCI-000015 ++ nist: AC-2(1) ++ srg: SRG-OS-000001-GPOS-00001 ++ ++ocil_clause: 'local_users_only is not uncommented or configured correctly' ++ ++ocil: |- ++ To verify if password complexities are only enforce on local users, run the following command: ++ 
$ grep local_users_only /etc/security/pwquality.conf
++ The output should return local_users_only uncommented. ++ ++platform: pam ++ ++warnings: ++ - management: |- ++ Using this rule bypasses pam_faillock's functionality and should be used in cases ++ where centralized management such as LDAP or Active Directory is in use. +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml +new file mode 100644 +index 0000000000..516c5c1ae6 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Ensure password complexity for root user ++ lineinfile: ++ create: yes ++ dest: "/etc/security/pwquality.conf" ++ regexp: '^#?\s*enforce_for_root' ++ line: "enforce_for_root" +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh +new file mode 100644 +index 0000000000..97f45c6259 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++if ! grep -q "^enforce_for_root" /etc/security/pwquality.conf; then ++ sed "s/# enforce_for_root/enforce_for_root/g" -i /etc/security/pwquality.conf ++fi +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml +new file mode 100644 +index 0000000000..fccf5fd00e +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/oval/shared.xml +@@ -0,0 +1,21 @@ ++ ++ ++ {{{ oval_metadata("The password complexity requirements are enforced for root.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/security/pwquality.conf ++ ^[\s]*enforce_for_root[\s]*$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml +new file mode 100644 +index 0000000000..6aa1876e03 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel8 ++ ++title: 'Ensure PAM Enforces Password Requirements - Enforce for root User' ++ ++description: |- ++ The pam_pwquality module's enforce_for_root parameter controls requirements for ++ enforcing password complexity for the root user. Enable the enforce_for_root ++ setting in /etc/security/pwquality.conf to require the root user ++ to use complex passwords. ++ ++rationale: |- ++ Use of a complex password helps to increase the time and resources required to compromise ++ the password. Password complexity, or strength, is a measure of the effectiveness of a ++ password in resisting attempts at guessing and brute-force attacks. ++ ++ Password complexity is one factor of several that determines how long it takes to crack a ++ password. The more complex the password, the greater the number of possible combinations ++ that need to be tested before the password is compromised. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-83377-2 ++ ++references: ++ disa: CCI-000194,CCI-000193,CCI-001619,CCI-000205,CCI-000195,CCI-000192,CCI-000366 ++ nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4) ++ srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037 ++ ++ocil_clause: 'enforce_for_root is not uncommented or configured correctly' ++ ++ocil: |- ++ To verify if root user is required to use complex passwords, run the following command: ++ 
$ grep enforce_for_root /etc/security/pwquality.conf
++ The output should return enforce_for_root uncommented. ++ ++platform: pam +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 15fe5c5bf9..b23cc05029 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -45,13 +45,15 @@ selections: + - package_audispd-plugins_installed + - package_libcap-ng-utils_installed + - auditd_audispd_syslog_plugin_activated ++ - accounts_passwords_pam_faillock_enforce_local ++ - accounts_password_pam_enforce_local ++ - accounts_password_pam_enforce_root + + # Configure TLS for remote logging + - package_rsyslog_installed + - package_rsyslog-gnutls_installed + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert +- - "!ssh_client_rekey_limit" + + # Unselect zIPL rules from OSPP + - "!zipl_bls_entries_only" +diff --git a/shared/checks/oval/accounts_password_pam_faillock.xml b/shared/checks/oval/accounts_password_pam_faillock.xml +new file mode 100644 +index 0000000000..c55c143ba5 +--- /dev/null ++++ b/shared/checks/oval/accounts_password_pam_faillock.xml +@@ -0,0 +1,26 @@ ++ ++ ++ ++ Check pam_faillock Existence in system-auth ++ ++ multi_platform_all ++ ++ Check that pam_faillock.so exists in system-auth ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$ ++ 1 ++ ++ ++ +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 569eed6636..5add9d462f 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -272,4 +272,8 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info ++- ssh_client_rekey_limit ++- accounts_passwords_pam_faillock_enforce_local ++- accounts_password_pam_enforce_local ++- accounts_password_pam_enforce_root + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' diff --git a/SOURCES/scap-security-guide-0.1.54-rsyslog_case_insensitive-PR_6396.patch b/SOURCES/scap-security-guide-0.1.54-rsyslog_case_insensitive-PR_6396.patch new file mode 100644 index 0000000..6e4d8ea --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-rsyslog_case_insensitive-PR_6396.patch @@ -0,0 +1,50 @@ +From cfbba5a3d43551fd2d8cdc7afdfa2b1fd7e2d0a4 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 18 Nov 2020 14:12:26 +0100 +Subject: [PATCH 1/2] Make rsyslog_remote_tls regex case insensitive for + rsyslogs parameters. + +--- + .../rsyslog_remote_tls/oval/shared.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml +index ead7a770fd..56f970b2cd 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml +@@ -16,11 +16,11 @@ + + + ^/etc/rsyslog\.(conf|d/.+\.conf)$ +- ^\s*action\(type="omfwd"(.+?)\) ++ ^\s*action\((?i)type(?-i)="omfwd"(.+?)\) + 0 + + + +- (?=[\S\s]*\sprotocol="tcp")(?=[\S\s]*\sTarget="[^"]+?")(?=[\S\s]*\sport="6514")(?=[\S\s]*\sStreamDriver="gtls")(?=[\S\s]*\sStreamDriverMode="1")(?=[\S\s]*\sStreamDriverAuthMode="x509/name")(?=[\S\s]*\sstreamdriver\.CheckExtendedKeyPurpose="on") ++ (?=[\S\s]*\s(?i)protocol(?-i)="tcp")(?=[\S\s]*\s(?i)Target(?-i)="[^"]+?")(?=[\S\s]*\s(?i)port(?-i)="6514")(?=[\S\s]*\s(?i)StreamDriver(?-i)="gtls")(?=[\S\s]*\s(?i)StreamDriverMode(?-i)="1")(?=[\S\s]*\s(?i)StreamDriverAuthMode(?-i)="x509/name")(?=[\S\s]*\s(?i)StreamDriver\.CheckExtendedKeyPurpose(?-i)="on") + + + +From 7fabf6bffca1e02fccf09f62564d65384b4cf2f8 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 18 Nov 2020 15:12:26 +0100 +Subject: [PATCH 2/2] Add test scenario for mixed case sensitivity. + +--- + .../tests/correct_singleline_mixed_cases.pass.sh | 5 +++++ + 1 file changed, 5 insertions(+) + create mode 100644 linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/tests/correct_singleline_mixed_cases.pass.sh + +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/tests/correct_singleline_mixed_cases.pass.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/tests/correct_singleline_mixed_cases.pass.sh +new file mode 100644 +index 0000000000..7e8455bb6c +--- /dev/null ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/tests/correct_singleline_mixed_cases.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++cat >> /etc/rsyslog.conf < +Date: Wed, 9 Dec 2020 11:58:48 +0100 +Subject: [PATCH] Set platform package mapping to None for not_s390x_arch CPE. + +--- + ssg/constants.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssg/constants.py b/ssg/constants.py +index f5c0566928..589c955f02 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -337,6 +337,7 @@ + "sssd": "sssd-common", + "zipl": "s390utils-base", + "sssd-ldap": None, # Force package check wrapping skip ++ "not_s390x_arch": None, + } + + # _version_name_map = { diff --git a/SOURCES/scap-security-guide-0.1.54-use_osrelease_check_system_arch-PR_6458.patch b/SOURCES/scap-security-guide-0.1.54-use_osrelease_check_system_arch-PR_6458.patch new file mode 100644 index 0000000..503ac36 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-use_osrelease_check_system_arch-PR_6458.patch @@ -0,0 +1,52 @@ +From a1ecfdad4c1187ccd645615b4b7b0e431e8a2d9d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 7 Dec 2020 11:11:48 +0100 +Subject: [PATCH] Check kernel osrelease instead of using uname test + +Check /proc/sys/kernel/osrelease to get arch of system. +uname test is not supported in offline mode +--- + ...oc_sys_kernel_osrelease_arch_not_s390x.xml | 34 +++++++++++++++++++ + 3 files changed, 35 insertions(+), 29 deletions(-) + create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml + +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml +new file mode 100644 +index 0000000000..1fc625a1e7 +--- /dev/null ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml +@@ -0,0 +1,34 @@ ++ ++ ++ ++ Test for different architecture than s390x ++ ++ multi_platform_all ++ ++ Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /proc/sys/kernel/osrelease ++ ^.*\.(.*)$ ++ 1 ++ ++ ++ ++ ^s390x$ ++ ++ ++ diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index bb7a7bd..be83448 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.53 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD @@ -8,6 +8,18 @@ URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch +Patch1: scap-security-guide-0.1.54-add_rhel8_ospp_pam_whell-PR_6256.patch +Patch2: scap-security-guide-0.1.54-rsyslog_case_insensitive-PR_6396.patch +Patch3: scap-security-guide-0.1.54-pwquality_update-PR_6370.patch +Patch4: scap-security-guide-0.1.54-kernel_trust_rng_make_grub-PR_6415.diff +Patch5: scap-security-guide-0.1.54-add_rhel8_ospp_ssh_client_strong_entropy-PR_6404.diff +Patch6: scap-security-guide-0.1.54-fix-oval-kernel-trust-cpu-rng-PR_6444.patch +# Patches 7, 8 and 9 were stripped down to a build system without dynamically generated CPEs +Patch7: scap-security-guide-0.1.54-make_usbguard_not_applicable_s390x-PR_6442.patch +Patch8: scap-security-guide-0.1.54-use_osrelease_check_system_arch-PR_6458.patch +Patch9: scap-security-guide-0.1.54-set_package_not_s390x_arch_to_none-PR_6462.patch +# Patch 10 adds platform not_s390_arch to the CPE dictionary manually +Patch10: add_not_s390x_cpe_dictionary.diff BuildArch: noarch @@ -43,6 +55,16 @@ present in %{name} package. %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 mkdir build %build @@ -77,6 +99,13 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Tue Dec 15 2020 Gabriel Becker - 0.1.53-3 +- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062) +- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032) +- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041) +- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067) +- Disable usbguard rules on s390x architecture (RHBZ#1899059) + * Thu Dec 03 2020 Watson Sato - 0.1.53-2 - Update list of profiles built (RHBZ#1889344)