commit e5b8b968d882aa8fa1795dcabf185781f59b5671 Author: Watson Sato Date: Mon Feb 28 12:01:18 2022 +0100 Manual edited patch scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch. diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml index 4cb2f9e..58f91ea 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml @@ -4,7 +4,6 @@ - if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi 1 - - - - - - - ^tmux(?:|[\s]+.*)$ - 0 - diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml index 6be090b..0e4db6d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml @@ -8,19 +8,11 @@ description: |- The tmux terminal multiplexer is used to implement automatic session locking. It should be started from /etc/bashrc or drop-in files within /etc/profile.d/. - Additionally it must be ensured that the tmux process is running - and it can be verified with the following command: - 
ps all | grep tmux | grep -v grep
rationale: |- Unlike bash itself, the tmux terminal multiplexer provides a mechanism to lock sessions after period of inactivity. -warnings: - - general: |- - The remediation does not start the tmux process, so it must be - manually started or have the system rebooted after applying the fix. - severity: medium identifiers: @@ -33,7 +25,7 @@ references: srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009 stigid@rhel8: RHEL-08-020041 -ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running' +ocil_clause: 'exec tmux is not present at the end of bashrc' ocil: |- To verify that tmux is configured to execute, @@ -45,9 +37,5 @@ ocil: |- name=$(ps -o comm= -p $parent) case "$name" in sshd|login) exec tmux ;; esac fi - To verify that the tmux process is running, - run the following command: - 
ps all | grep tmux | grep -v grep
- If the command does not produce output, this is a finding. platform: machine diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh index 221c186..fbc7590 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh @@ -9,4 +9,3 @@ if [ "$PS1" ]; then fi EOF -tmux new-session -s root -d diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh index 1702bb1..6107f86 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh @@ -10,4 +10,3 @@ if [ "$PS1" ]; then fi EOF -tmux new-session -s root -d diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh deleted file mode 100644 index 6cb9d83..0000000 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -# packages = tmux -# remediation = none - -cat >> /etc/bashrc <<'EOF' -if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) exec tmux ;; esac -fi -EOF - -killall tmux || true diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh index f13a8b0..9b46165 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh @@ -101,5 +101,3 @@ if [ -z "$BASHRCSOURCED" ]; then fi # vim:ts=4:sw=4 EOF - -tmux new-session -s root -d