scap-security-guide/scap-security-guide-0.1.58-various_fixes-PR_7335.patch

943 lines
44 KiB
Diff
Raw Normal View History

From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 30 Jul 2021 16:57:13 +0200
Subject: [PATCH 1/5] Enable more RHEL9 content
---
.../ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 3 ++-
.../disable_ctrlaltdel_burstaction/bash/shared.sh | 2 +-
.../disable_ctrlaltdel_reboot/bash/shared.sh | 4 ----
.../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++-
.../smart_card_login/service_pcscd_enabled/rule.yml | 3 ++-
.../root_logins/use_pam_wheel_for_su/rule.yml | 3 ++-
.../user_umask/accounts_umask_etc_csh_cshrc/rule.yml | 3 ++-
.../installed_OS_is_FIPS_certified/oval/shared.xml | 1 +
.../rule.yml | 3 ++-
products/rhel9/profiles/hipaa.profile | 6 +++---
products/rhel9/profiles/ospp.profile | 8 ++++----
products/rhel9/profiles/pci-dss.profile | 4 ++--
shared/references/cce-redhat-avail.txt | 6 ------
13 files changed, 23 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
index f43f92c2f15..c0fbe2c5e34 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhel8,rhel9,rhcos4
title: 'Configure session renegotiation for SSH client'
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82880-6
+ cce@rhel9: CCE-87522-9
references:
disa: CCI-000068
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
index 7d4faedfb47..d8063726fb4 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
index 94767ad5993..4cbf5c84651 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
@@ -1,9 +1,5 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
{{%- if init_system == "systemd" -%}}
-{{% if product in ["rhel7", "rhel8"] %}}
-# The process to disable ctrl+alt+del has changed in RHEL7.
-# Reference: https://access.redhat.com/solutions/1123873
-{{% endif %}}
systemctl disable --now ctrl-alt-del.target
systemctl mask --now ctrl-alt-del.target
{{%- else -%}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
index 0652fbeadaf..9c6534cf401 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Install the pcsc-lite package'
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82347-6
cce@rhel8: CCE-80993-9
+ cce@rhel9: CCE-86280-5
references:
disa: CCI-001954
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
index e14db48c22a..6472ade5791 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Enable the pcscd Service'
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80569-7
cce@rhel8: CCE-80881-6
+ cce@rhel9: CCE-87907-2
references:
disa: CCI-001954
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index a6862c2af25..984a8cf333e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
title: 'Enforce usage of pam_wheel for su authentication'
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-85855-5
cce@rhel8: CCE-83318-6
+ cce@rhel9: CCE-90085-2
references:
cis@rhel7: "5.7"
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
index 1b71c7d3acd..3779b396b4e 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004
title: 'Ensure the Default C Shell Umask is Set Correctly'
@@ -20,6 +20,7 @@ identifiers:
cce@rhcos4: CCE-84261-7
cce@rhel7: CCE-80203-3
cce@rhel8: CCE-81037-4
+ cce@rhel9: CCE-87721-7
references:
cis-csc: '18'
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
index a65bec7348c..3a4847ff9d8 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
@@ -6,6 +6,7 @@
<criteria comment="Installed operating system is a certified operating system" operator="OR">
<extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
<extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
+ <!--extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" /-->
<extend_definition comment="Installed OS is RHCOS4" definition_ref="installed_OS_is_rhcos4" />
<extend_definition comment="Installed OS is OL7" definition_ref="installed_OS_is_ol7_family" />
<extend_definition comment="Installed OS is SLE12" definition_ref="installed_OS_is_sle12" />
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 8b6577226fb..4f49b3b825d 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8
+prodtype: rhel8,rhel9
title: 'Install dnf-plugin-subscription-manager Package'
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82315-3
+ cce@rhel9: CCE-89879-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 1e0ea047b98..797c62708e2 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -33,9 +33,9 @@ selections:
- require_singleuser_auth
- restrict_serial_port_logins
- securetty_root_login_console_only
- - service_debug-shell_disabled # not supported in RHEL9 ATM
- - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
- - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
+ - service_debug-shell_disabled
+ - disable_ctrlaltdel_reboot
+ - disable_ctrlaltdel_burstaction
- dconf_db_up_to_date
- dconf_gnome_remote_access_credential_prompt
- dconf_gnome_remote_access_encryption
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 0ae391c60bf..adec0cbd774 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -107,7 +107,7 @@ selections:
- var_accounts_user_umask=027
- accounts_umask_etc_profile
- accounts_umask_etc_bashrc
-# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM
+ - accounts_umask_etc_csh_cshrc
### Software update
- ensure_redhat_gpgkey_installed
@@ -177,7 +177,7 @@ selections:
- package_aide_installed
- package_dnf-automatic_installed
- package_subscription-manager_installed
-# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM
+ - package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed
@@ -221,7 +221,7 @@ selections:
- securetty_root_login_console_only
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
-# - use_pam_wheel_for_su # not supported in RHEL9 ATM
+ - use_pam_wheel_for_su
### SELinux Configuration
- var_selinux_state=enforcing
@@ -422,7 +422,7 @@ selections:
- kerberos_disable_no_keytab
# set ssh client rekey limit
-# - ssh_client_rekey_limit # not supported in RHEL9 ATM
+ - ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index af347501989..1fe85d39ae0 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -121,8 +121,8 @@ selections:
- var_smartcard_drivers=cac
- configure_opensc_card_drivers
- force_opensc_card_drivers
-# - package_pcsc-lite_installed # not supported in RHEL9 ATM
-# - service_pcscd_enabled # not supported in RHEL9 ATM
+ - package_pcsc-lite_installed
+ - service_pcscd_enabled
- sssd_enable_smartcards
- set_password_hashing_algorithm_systemauth
- set_password_hashing_algorithm_logindefs
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index aa0b30da834..e78838a45aa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -396,7 +396,6 @@ CCE-86276-3
CCE-86277-1
CCE-86278-9
CCE-86279-7
-CCE-86280-5
CCE-86281-3
CCE-86282-1
CCE-86283-9
@@ -1618,7 +1617,6 @@ CCE-87518-7
CCE-87519-5
CCE-87520-3
CCE-87521-1
-CCE-87522-9
CCE-87523-7
CCE-87525-2
CCE-87526-0
@@ -1812,7 +1810,6 @@ CCE-87717-5
CCE-87718-3
CCE-87719-1
CCE-87720-9
-CCE-87721-7
CCE-87722-5
CCE-87723-3
CCE-87724-1
@@ -1994,7 +1991,6 @@ CCE-87903-1
CCE-87904-9
CCE-87905-6
CCE-87906-4
-CCE-87907-2
CCE-87908-0
CCE-87909-8
CCE-87910-6
@@ -3932,7 +3928,6 @@ CCE-89874-2
CCE-89875-9
CCE-89877-5
CCE-89878-3
-CCE-89879-1
CCE-89880-9
CCE-89881-7
CCE-89882-5
@@ -4135,7 +4130,6 @@ CCE-90081-1
CCE-90082-9
CCE-90083-7
CCE-90084-5
-CCE-90085-2
CCE-90086-0
CCE-90087-8
CCE-90088-6
From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 4 Aug 2021 16:30:45 +0200
Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules
---
.../configure_bashrc_exec_tmux/bash/shared.sh | 2 +-
.../configure_tmux_lock_after_time/bash/shared.sh | 2 +-
.../configure_tmux_lock_command/bash/shared.sh | 2 +-
.../console_screen_locking/no_tmux_in_shells/bash/shared.sh | 2 +-
.../software/integrity/fips/enable_fips_mode/bash/shared.sh | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
index 0c544bfbb82..737d725872d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
cat >> /etc/bashrc <<'EOF'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
index 233047afcbc..947e1dd7ee5 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
tmux_conf="/etc/tmux.conf"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
index f2430618ab3..0c11c1224e2 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
+# platform = multi_platform_all
tmux_conf="/etc/tmux.conf"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
index 45c43e8d374..60e0a7e34c8 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
if grep -q 'tmux$' /etc/shells ; then
sed -i '/tmux$/d' /etc/shells
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
index 87476a7b315..c98847ded72 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
fips-mode-setup --enable
From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 4 Aug 2021 17:56:57 +0200
Subject: [PATCH 3/5] Update the grub config path
RHEL9 and Fedora EFI/legacy grub paths have been unified:
https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
The location of Ubuntu EFI grub paths has been estimated from
https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg
Location of SLE EFI grub paths has been taken from existing rules
---
.../grub2_uefi_admin_username/oval/shared.xml | 16 ++++---------
.../uefi/grub2_uefi_admin_username/rule.yml | 2 +-
.../uefi/grub2_uefi_password/oval/shared.xml | 24 +++++++------------
.../uefi/grub2_uefi_password/rule.yml | 10 ++++----
.../uefi_no_removeable_media/oval/shared.xml | 16 ++++---------
products/fedora/product.yml | 2 ++
products/rhel7/product.yml | 2 ++
products/rhel8/product.yml | 2 ++
products/rhel9/product.yml | 2 ++
products/sle12/product.yml | 2 ++
products/sle15/product.yml | 1 +
products/ubuntu1604/product.yml | 1 +
products/ubuntu1804/product.yml | 1 +
products/ubuntu2004/product.yml | 1 +
ssg/constants.py | 1 +
ssg/products.py | 4 ++++
tests/shared/grub2.sh | 10 +++++---
17 files changed, 50 insertions(+), 47 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
index 8545e8ab2c7..7950c15a848 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
@@ -1,26 +1,20 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="grub2_uefi_admin_username" version="1">
{{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}}
<criteria operator="OR">
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
</criteria>
</definition>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
<ind:object object_ref="object_bootloader_uefi_unique_superuser" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 8a98cbdc95f..128d7cc1cb8 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
+ <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 230aab73139..a67c8ad99bb 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -1,32 +1,26 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="grub2_uefi_password" version="1">
{{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
<criteria operator="OR">
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
<criteria operator="AND">
<criteria comment="check both files to account for procedure change in documenation" operator="OR">
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
</criteria>
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
</criteria>
</criteria>
</definition>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
<ind:object object_ref="object_bootloader_uefi_superuser" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -35,7 +29,7 @@
<ind:object object_ref="object_grub2_uefi_password_usercfg" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_grub2_uefi_password_usercfg" version="1">
- <ind:filepath>{{{ grub_cfg_prefix }}}/user.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/user.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -44,7 +38,7 @@
<ind:object object_ref="object_grub2_uefi_password_grubcfg" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index cb0d60c3ddf..cc68441e5ad 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -31,10 +31,8 @@ description: |-
<tt>grub.cfg</tt> file by running:
{{% if "ubuntu" in product %}}
<pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg</pre>
{{% else %}}
- <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
+ <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
{{% endif %}}
rationale: |-
@@ -91,18 +89,18 @@ ocil: |-
To verify the boot loader superuser account password has been set,
and the password encrypted, run the following command:
{{% if product in ["sle12", "sle15"] %}}
- <pre>sudo cat /boot/efi/EFI/sles/grub.cfg</pre>
+ <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should be similar to:
<pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
{{% elif "ubuntu" in product %}}
- <pre>grep -i password /boot/grub/grub.cfg</pre>
+ <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should contain something similar to:
<pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
{{% else %}}
- <pre>sudo cat /boot/efi/EFI/redhat/user.cfg</pre>
+ <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
The output should be similar to:
<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
index 72872d907e3..89a9fae86ec 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
@@ -1,27 +1,21 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="uefi_no_removeable_media" version="1">
{{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
<criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
- <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+ <criterion comment="Check the set root in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
+ comment="tests the value of set root setting in the {{{ grub2_uefi_boot_path + "/grub.cfg" }}} file"
id="test_uefi_no_removeable_media" version="1">
<ind:object object_ref="obj_uefi_no_removeable_media" />
<ind:state state_ref="state_uefi_no_removeable_media" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
<ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -30,5 +24,5 @@
<ind:subexpression datatype="string" operation="pattern match">^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$</ind:subexpression>
</ind:textfilecontent54_state>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
</def-group>
diff --git a/products/fedora/product.yml b/products/fedora/product.yml
index 0cb53c5331e..ea8e98eea78 100644
--- a/products/fedora/product.yml
+++ b/products/fedora/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
init_system: "systemd"
+grub2_boot_path: "/boot/grub2"
+
dconf_gdm_dir: "distro.d"
cpes_root: "../../shared/applicability"
diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
index fb5d17786da..6438797f218 100644
--- a/products/rhel7/product.yml
+++ b/products/rhel7/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
cpes_root: "../../shared/applicability"
cpes:
- rhel7:
diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
index 78c987b2457..f6d2102558d 100644
--- a/products/rhel8/product.yml
+++ b/products/rhel8/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
cpes_root: "../../shared/applicability"
cpes:
- rhel8:
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 4ceb332adf3..6b5a15d5cee 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
init_system: "systemd"
+grub2_boot_path: "/boot/grub2"
+
dconf_gdm_dir: "distro.d"
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
diff --git a/products/sle12/product.yml b/products/sle12/product.yml
index d1301a17f91..b9e44e0725c 100644
--- a/products/sle12/product.yml
+++ b/products/sle12/product.yml
@@ -12,6 +12,8 @@ pkg_manager: "zypper"
pkg_manager_config_file: "/etc/zypp/zypp.conf"
oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/sles"
+
cpes_root: "../../shared/applicability"
cpes:
- sle12-server:
diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
index 827a875d493..36ec98397f6 100644
--- a/products/ubuntu1604/product.yml
+++ b/products/ubuntu1604/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
index 68922441a2a..f1671b8d7dd 100644
--- a/products/ubuntu1804/product.yml
+++ b/products/ubuntu1804/product.yml
@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
init_system: "systemd"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
index 15565b6748f..d75624d70a3 100644
--- a/products/ubuntu2004/product.yml
+++ b/products/ubuntu2004/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/ssg/constants.py b/ssg/constants.py
index 666d7a4d3c8..f9c978a22a2 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -383,4 +383,5 @@
# Application constants
DEFAULT_UID_MIN = 1000
DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
+DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
DEFAULT_DCONF_GDM_DIR = 'gdm.d'
diff --git a/ssg/products.py b/ssg/products.py
index 25178b741b2..fb55f5c2f4b 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -9,6 +9,7 @@
from .constants import (product_directories,
DEFAULT_UID_MIN,
DEFAULT_GRUB2_BOOT_PATH,
+ DEFAULT_GRUB2_UEFI_BOOT_PATH,
DEFAULT_DCONF_GDM_DIR,
PKG_MANAGER_TO_SYSTEM,
PKG_MANAGER_TO_CONFIG_FILE,
@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
if "grub2_boot_path" not in existing_properties:
result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
+ if "grub2_uefi_boot_path" not in existing_properties:
+ result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
+
if "dconf_gdm_dir" not in existing_properties:
result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
index bce7683a7c1..f024b3766cf 100644
--- a/tests/shared/grub2.sh
+++ b/tests/shared/grub2.sh
@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
function set_grub_uefi_root {
if grep NAME /etc/os-release | grep -iq fedora; then
- GRUB_CFG_ROOT=/boot/efi/EFI/fedora
- else
- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+ GRUB_CFG_ROOT=/boot/grub2
+ elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
+ if grep VERSION /etc/os-release | grep -q '9\.0'; then
+ GRUB_CFG_ROOT=/boot/grub2
+ else
+ GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+ fi
fi
}
From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 5 Aug 2021 17:59:39 +0200
Subject: [PATCH 4/5] Add the sshd directory configuration rule
Remediations of other sshd rules assumes that sshd is configured using
multiple files as opposed to one huge file, and this rule
makes sure that the assumption is guarded.
---
controls/anssi.yml | 3 +++
products/rhel9/profiles/cis.profile | 2 ++
products/rhel9/profiles/cjis.profile | 1 +
products/rhel9/profiles/e8.profile | 1 +
products/rhel9/profiles/hipaa.profile | 1 +
products/rhel9/profiles/ism_o.profile | 1 +
products/rhel9/profiles/ospp.profile | 1 +
products/rhel9/profiles/pci-dss.profile | 1 +
products/rhel9/profiles/rht-ccp.profile | 1 +
9 files changed, 12 insertions(+)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 7737e67ea51..eee79cf1ef7 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -384,6 +384,9 @@ controls:
- package_sudo_installed
- audit_rules_privileged_commands_sudo
+ # This rule should be present in the profile at least once
+ - sshd_use_directory_configuration
+
- id: R20
levels:
- enhanced
diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
index 622f88e3766..8d7816e5e2d 100644
--- a/products/rhel9/profiles/cis.profile
+++ b/products/rhel9/profiles/cis.profile
@@ -791,6 +791,8 @@ selections:
- file_permissions_sshd_pub_key
# TO DO: check owner of pub keys in /etc/ssh is root:root
+ # Ensure that the configuration is done the right way
+ - sshd_use_directory_configuration
### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
- sshd_set_loglevel_info
diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
index b45ba19d84f..0aaf7cb0206 100644
--- a/products/rhel9/profiles/cjis.profile
+++ b/products/rhel9/profiles/cjis.profile
@@ -98,6 +98,7 @@ selections:
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
+ - sshd_use_directory_configuration
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
index 6d87a778eee..3851255ccec 100644
--- a/products/rhel9/profiles/e8.profile
+++ b/products/rhel9/profiles/e8.profile
@@ -126,6 +126,7 @@ selections:
- audit_rules_kernel_module_loading
### Secure access
+ - sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_disable_gssapi_auth
- sshd_print_last_log
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 797c62708e2..d1dc18ba33c 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -39,6 +39,7 @@ selections:
- dconf_db_up_to_date
- dconf_gnome_remote_access_credential_prompt
- dconf_gnome_remote_access_encryption
+ - sshd_use_directory_configuration
- sshd_disable_empty_passwords
- sshd_disable_root_login
- libreswan_approved_tunnels
diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
index 82e863ad3d3..6fc919da128 100644
--- a/products/rhel9/profiles/ism_o.profile
+++ b/products/rhel9/profiles/ism_o.profile
@@ -56,6 +56,7 @@ selections:
## Authentication hardening
## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
+ - sshd_use_directory_configuration
- sshd_max_auth_tries_value=5
- disable_host_auth
- require_emergency_target_auth
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index adec0cbd774..08ffcccd9e2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -58,6 +58,7 @@ selections:
### Services
# sshd
+ - sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_enable_strictmodes
- disable_host_auth
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index 1fe85d39ae0..bd16dc97721 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -105,6 +105,7 @@ selections:
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
+ - sshd_use_directory_configuration
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
- accounts_password_pam_minlen
diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
index e1d9a70b493..8576975aa54 100644
--- a/products/rhel9/profiles/rht-ccp.profile
+++ b/products/rhel9/profiles/rht-ccp.profile
@@ -87,6 +87,7 @@ selections:
- service_telnet_disabled
- package_telnet-server_removed
- package_telnet_removed
+ - sshd_use_directory_configuration
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 11 Aug 2021 16:43:00 +0200
Subject: [PATCH 5/5] Reflect fusion of rhel9 packages
Packages dnf-plugin-subscription-manager and subscription-manager are
merged to subscription-manager in RHEL9 - see
https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
---
.../rule.yml | 3 +--
.../package_subscription-manager_installed/rule.yml | 9 ++++++++-
products/rhel9/profiles/ospp.profile | 1 -
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 4f49b3b825d..8b6577226fb 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhel9
+prodtype: rhel8
title: 'Install dnf-plugin-subscription-manager Package'
@@ -17,7 +17,6 @@ severity: medium
identifiers:
cce@rhel8: CCE-82315-3
- cce@rhel9: CCE-89879-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
index b90a7588270..32e5ce9a129 100644
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
@@ -12,7 +12,14 @@ rationale: |-
and subscriptions on a local system to help manage subscription assignments.
It communicates with the backend subscription service (the Customer Portal
or an on-premise server such as Subscription Asset Manager) and works with
- content management tools such as yum.
+ content management tools such as {{{ package_manager }}}.
+
+ {{% if product in ["rhel9"] %}}
+ The package provides, among other things, {{{ package_manager }}} plugins
+ to interact with repositories and subscriptions
+ from the Red Hat entitlement platform - the subscription-manager and
+ product-id plugins.
+ {{% endif %}}
severity: medium
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 08ffcccd9e2..1b060c7bf07 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -178,7 +178,6 @@ selections:
- package_aide_installed
- package_dnf-automatic_installed
- package_subscription-manager_installed
- - package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed