221 lines
12 KiB
Diff
221 lines
12 KiB
Diff
|
From d6f7334d642fb311d32d7a171c460cd05e6625b8 Mon Sep 17 00:00:00 2001
|
||
|
From: Matthew Burket <mburket@redhat.com>
|
||
|
Date: Fri, 6 Aug 2021 10:48:46 -0500
|
||
|
Subject: [PATCH] Add rule for RHEL-08-020320
|
||
|
|
||
|
---
|
||
|
.../ansible/shared.yml | 0
|
||
|
.../bash/shared.sh | 2 +-
|
||
|
.../oval/shared.xml | 2 +-
|
||
|
.../accounts_authorized_local_users/rule.yml | 12 +++++++++---
|
||
|
.../tests/bad_user.fail.sh | 2 ++
|
||
|
.../tests/default.pass.sh | 16 ++++++++++++++++
|
||
|
...var_accounts_authorized_local_users_regex.var | 1 +
|
||
|
products/rhel8/profiles/stig.profile | 3 ++-
|
||
|
shared/references/cce-redhat-avail.txt | 1 -
|
||
|
tests/data/profile_stability/rhel8/stig.profile | 2 ++
|
||
|
.../profile_stability/rhel8/stig_gui.profile | 2 ++
|
||
|
11 files changed, 36 insertions(+), 7 deletions(-)
|
||
|
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/ansible/shared.yml (100%)
|
||
|
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/bash/shared.sh (95%)
|
||
|
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/oval/shared.xml (98%)
|
||
|
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/rule.yml (88%)
|
||
|
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
|
||
|
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/var_accounts_authorized_local_users_regex.var (81%)
|
||
|
|
||
|
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
|
||
|
similarity index 100%
|
||
|
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml
|
||
|
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
|
||
|
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
|
||
|
similarity index 95%
|
||
|
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
|
||
|
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
|
||
|
index c342acf36d1..fedb02d84ce 100644
|
||
|
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
|
||
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
|
||
|
@@ -10,7 +10,7 @@ default_os_user="root"
|
||
|
for username in $( sed 's/:.*//' /etc/passwd ) ; do
|
||
|
if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
|
||
|
then
|
||
|
- userdel $username ;
|
||
|
+ userdel $username ;
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
|
||
|
similarity index 98%
|
||
|
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
|
||
|
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
|
||
|
index 4e42081d0dc..c56799ded20 100644
|
||
|
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
|
||
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
|
||
|
@@ -32,6 +32,6 @@
|
||
|
var_ref="var_accounts_authorized_local_users_regex"></ind:subexpression>
|
||
|
</ind:textfilecontent54_state>
|
||
|
|
||
|
- <external_variable id="var_accounts_authorized_local_users_regex" version="1" datatype="string"
|
||
|
+ <external_variable id="var_accounts_authorized_local_users_regex" version="1" datatype="string"
|
||
|
comment="accounts authorized local users on operating system"/>
|
||
|
</def-group>
|
||
|
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
||
|
similarity index 88%
|
||
|
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
|
||
|
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
||
|
index ddbda30afe6..e2311f6a5c3 100644
|
||
|
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
|
||
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
||
|
@@ -1,6 +1,6 @@
|
||
|
documentation_complete: true
|
||
|
|
||
|
-prodtype: ol7,sle12,sle15
|
||
|
+prodtype: ol7,sle12,sle15,fedora,rhel8
|
||
|
|
||
|
title: 'Only Authorized Local User Accounts Exist on Operating System'
|
||
|
|
||
|
@@ -26,11 +26,10 @@ rationale: |-
|
||
|
severity: medium
|
||
|
|
||
|
identifiers:
|
||
|
+ cce@rhel8: CCE-85987-6
|
||
|
cce@sle12: CCE-83195-8
|
||
|
cce@sle15: CCE-85561-9
|
||
|
|
||
|
-severity: medium
|
||
|
-
|
||
|
references:
|
||
|
disa: CCI-000366
|
||
|
nist@sle12: CM-6(b),CM-6.1(iv)
|
||
|
@@ -41,6 +40,13 @@ references:
|
||
|
|
||
|
ocil_clause: 'there are unauthorized local user accounts on the system'
|
||
|
|
||
|
+{{% if 'rhel' in product %}}
|
||
|
+warnings:
|
||
|
+ - general: |-
|
||
|
+ Automatic remediation of this control is not available. Due the unique
|
||
|
+ requirements of each system.
|
||
|
+{{% endif %}}
|
||
|
+
|
||
|
ocil: |-
|
||
|
To verify that there are no unauthorized local user accounts, run the following command:
|
||
|
<pre>$ less /etc/passwd </pre>
|
||
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..6dabaff6bc6
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
|
||
|
@@ -0,0 +1,2 @@
|
||
|
+#! /bin/bash
|
||
|
+adduser testuser
|
||
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..d942f81d04f
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
|
||
|
@@ -0,0 +1,16 @@
|
||
|
+#! /bin/bash
|
||
|
+# platform = multi_platform_rhel
|
||
|
+
|
||
|
+var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
|
||
|
+
|
||
|
+# never delete the root user
|
||
|
+default_os_user="root"
|
||
|
+
|
||
|
+# delete users that is in /etc/passwd but neither in default_os_user
|
||
|
+# nor in var_accounts_authorized_local_users_regex
|
||
|
+for username in $( sed 's/:.*//' /etc/passwd ) ; do
|
||
|
+ if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
|
||
|
+ then
|
||
|
+ echo $username ;
|
||
|
+ fi
|
||
|
+done
|
||
|
diff --git a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
||
|
similarity index 81%
|
||
|
rename from linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
|
||
|
rename to linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
||
|
index 81626307321..2f456764617 100644
|
||
|
--- a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
|
||
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
||
|
@@ -22,5 +22,6 @@ operator: pattern match
|
||
|
interactive: true
|
||
|
|
||
|
options:
|
||
|
+ rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
|
||
|
ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
|
||
|
saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$"
|
||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||
|
index f66b2a24a75..ec2929e8dc4 100644
|
||
|
--- a/products/rhel8/profiles/stig.profile
|
||
|
+++ b/products/rhel8/profiles/stig.profile
|
||
|
@@ -54,6 +54,7 @@ selections:
|
||
|
- sshd_approved_macs=stig
|
||
|
- sshd_approved_ciphers=stig
|
||
|
- sshd_idle_timeout_value=10_minutes
|
||
|
+ - var_accounts_authorized_local_users_regex=rhel8
|
||
|
- var_accounts_passwords_pam_faillock_deny=3
|
||
|
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||
|
- var_accounts_passwords_pam_faillock_unlock_time=never
|
||
|
@@ -576,7 +577,7 @@ selections:
|
||
|
- accounts_logon_fail_delay
|
||
|
|
||
|
# RHEL-08-020320
|
||
|
- # - accounts_authorized_local_users
|
||
|
+ - accounts_authorized_local_users
|
||
|
|
||
|
# RHEL-08-020330
|
||
|
- sshd_disable_empty_passwords
|
||
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||
|
index 1d54e8ec15f..3047c2d9b92 100644
|
||
|
--- a/shared/references/cce-redhat-avail.txt
|
||
|
+++ b/shared/references/cce-redhat-avail.txt
|
||
|
@@ -115,7 +115,6 @@ CCE-85983-5
|
||
|
CCE-85984-3
|
||
|
CCE-85985-0
|
||
|
CCE-85986-8
|
||
|
-CCE-85987-6
|
||
|
CCE-85988-4
|
||
|
CCE-85989-2
|
||
|
CCE-85990-0
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
index fcae79f6d88..9496f1e1d1d 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
@@ -27,6 +27,7 @@ selections:
|
||
|
- account_emergency_expire_date
|
||
|
- account_temp_expire_date
|
||
|
- account_unique_id
|
||
|
+- accounts_authorized_local_users
|
||
|
- accounts_have_homedir_login_defs
|
||
|
- accounts_logon_fail_delay
|
||
|
- accounts_max_concurrent_login_sessions
|
||
|
@@ -358,6 +359,7 @@ selections:
|
||
|
- var_auditd_disk_error_action=halt
|
||
|
- var_auditd_max_log_file_action=syslog
|
||
|
- var_auditd_disk_full_action=halt
|
||
|
+- var_accounts_authorized_local_users_regex=rhel8
|
||
|
- var_system_crypto_policy=fips
|
||
|
- var_sudo_timestamp_timeout=always_prompt
|
||
|
title: DISA STIG for Red Hat Enterprise Linux 8
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
index 2bbd1881f51..9e0c648a5f8 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
@@ -38,6 +38,7 @@ selections:
|
||
|
- account_emergency_expire_date
|
||
|
- account_temp_expire_date
|
||
|
- account_unique_id
|
||
|
+- accounts_authorized_local_users
|
||
|
- accounts_have_homedir_login_defs
|
||
|
- accounts_logon_fail_delay
|
||
|
- accounts_max_concurrent_login_sessions
|
||
|
@@ -368,6 +369,7 @@ selections:
|
||
|
- var_auditd_disk_error_action=halt
|
||
|
- var_auditd_max_log_file_action=syslog
|
||
|
- var_auditd_disk_full_action=halt
|
||
|
+- var_accounts_authorized_local_users_regex=rhel8
|
||
|
- var_system_crypto_policy=fips
|
||
|
- var_sudo_timestamp_timeout=always_prompt
|
||
|
title: DISA STIG with GUI for Red Hat Enterprise Linux 8
|