commit 36b22c1b5f2cf6bdbe346cbca9c185f75e5dc8e6 Author: Watson Sato Date: Mon Feb 28 11:28:39 2022 +0100 Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_020041-PR_8146.patch. diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh index 0c544bf..4519460 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh @@ -1,7 +1,11 @@ # platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 +# reboot = true +# strategy = enable +# complexity = low +# disruption = low if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then - cat >> /etc/bashrc <<'EOF' + cat >> /etc/profile.d/tmux.sh <<'EOF' if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml index 00ac349..4cb2f9e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml @@ -4,21 +4,27 @@ + - - - /etc/bashrc - ^(.*)$ - 1 + ^/etc/bashrc$|^/etc/profile\.d/.*$ + if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi + 1 - - if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi - + + + + + + + ^tmux(?:|[\s]+.*)$ + 0 + diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml index c43b8cb..6be090b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml @@ -7,12 +7,20 @@ title: 'Support session locking with tmux' description: |- The tmux terminal multiplexer is used to implement automatic session locking. It should be started from - /etc/bashrc. + /etc/bashrc or drop-in files within /etc/profile.d/. + Additionally it must be ensured that the tmux process is running + and it can be verified with the following command: +
ps all | grep tmux | grep -v grep
rationale: |- Unlike bash itself, the tmux terminal multiplexer provides a mechanism to lock sessions after period of inactivity. +warnings: + - general: |- + The remediation does not start the tmux process, so it must be + manually started or have the system rebooted after applying the fix. + severity: medium identifiers: @@ -25,17 +33,21 @@ references: srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009 stigid@rhel8: RHEL-08-020041 -ocil_clause: 'exec tmux is not present at the end of bashrc' +ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running' ocil: |- To verify that tmux is configured to execute, run the following command: -
$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc
+
$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc /etc/profile.d/*
The output should return the following:
if [ "$PS1" ]; then
       parent=$(ps -o ppid= -p $$)
       name=$(ps -o comm= -p $parent)
       case "$name" in sshd|login) exec tmux ;; esac
     fi
+ To verify that the tmux process is running, + run the following command: +
ps all | grep tmux | grep -v grep
+ If the command does not produce output, this is a finding. platform: machine diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh new file mode 100644 index 0000000..221c186 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# packages = tmux + +cat >> /etc/bashrc <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi +EOF + +tmux new-session -s root -d diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh new file mode 100644 index 0000000..1702bb1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# packages = tmux + + +cat >> /etc/profile.d/00-complianceascode.conf <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi +EOF + +tmux new-session -s root -d diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh new file mode 100644 index 0000000..1dc38b8 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +cat >> /etc/profile.d/00-complianceascode.conf <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi +EOF + +cat >> /etc/bashrc <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi +EOF diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh new file mode 100644 index 0000000..6cb9d83 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# packages = tmux +# remediation = none + +cat >> /etc/bashrc <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi +EOF + +killall tmux || true diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh new file mode 100644 index 0000000..f13a8b0 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh @@ -0,0 +1,105 @@ +#!/bin/bash +# packages = tmux + +cat > /etc/bashrc <<'EOF' +# /etc/bashrc + +# System wide functions and aliases +# Environment stuff goes in /etc/profile + +# It's NOT a good idea to change this file unless you know what you +# are doing. It's much better to create a custom.sh shell script in +# /etc/profile.d/ to make custom changes to your environment, as this +# will prevent the need for merging in future updates. + +# Prevent doublesourcing +if [ -z "$BASHRCSOURCED" ]; then + BASHRCSOURCED="Y" + + # are we an interactive shell? + if [ "$PS1" ]; then + if [ -z "$PROMPT_COMMAND" ]; then + case $TERM in + xterm*|vte*) + if [ -e /etc/sysconfig/bash-prompt-xterm ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm + elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then + PROMPT_COMMAND="__vte_prompt_command" + else + PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' + fi + ;; + screen*) + if [ -e /etc/sysconfig/bash-prompt-screen ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen + else + PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' + fi + ;; + *) + [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default + ;; + esac + fi + # Turn on parallel history + shopt -s histappend + history -a + # Turn on checkwinsize + shopt -s checkwinsize + [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " + # You might want to have e.g. tty in prompt (e.g. more virtual machines) + # and console windows + # If you want to do so, just add e.g. + # if [ "$PS1" ]; then + # PS1="[\u@\h:\l \W]\\$ " + # fi + # to your custom modification shell script in /etc/profile.d/ directory + fi + + if ! shopt -q login_shell ; then # We're not a login shell + # Need to redefine pathmunge, it gets undefined at the end of /etc/profile + pathmunge () { + case ":${PATH}:" in + *:"$1":*) + ;; + *) + if [ "$2" = "after" ] ; then + PATH=$PATH:$1 + else + PATH=$1:$PATH + fi + esac + } + + # By default, we want umask to get set. This sets it for non-login shell. + # Current threshold for system reserved uid/gids is 200 + # You could check uidgid reservation validity in + # /usr/share/doc/setup-*/uidgid file + if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then + umask 002 + else + umask 022 + fi + + SHELL=/bin/bash + # Only display echos from profile.d scripts if we are no login shell + # and interactive - otherwise just process them to set envvars + for i in /etc/profile.d/*.sh; do + if [ -r "$i" ]; then + if [ "$PS1" ]; then + . "$i" + else + . "$i" >/dev/null + fi + fi + done + + unset i + unset -f pathmunge + fi + +fi +# vim:ts=4:sw=4 +EOF + +tmux new-session -s root -d