add rules to check that systemd.debug-shell argument is absent from boot command line

Resolves: rhbz#2092840
2022-07-18 11:01:17 +02:00 · 2022-07-18 11:01:17 +02:00 · 11b3fb7bd6
commit 11b3fb7bd6
parent 2838eb99d0
2 changed files with 371 additions and 0 deletions
--- a/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch
+++ b/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch
@ -0,0 +1,369 @@
+From 86fcd3db1d66bb846c12a7ecd857ba17734927b0 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 6 Jul 2022 16:55:59 +0200
+Subject: [PATCH 1/3] Add grub2_systemd_debug-shell_argument_absent
+
+Create rule that ensure that systemd.debug-shell=1 is not defined for
+the kernel command line.
+---
+ .../rule.yml                                  | 51 +++++++++++++++++++
+ shared/references/cce-redhat-avail.txt        |  1 -
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
+
+diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
+new file mode 100644
+index 00000000000..8b6ff3bc333
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
+@@ -0,0 +1,51 @@
+documentation_complete: true
+
+title: 'Ensure debug-shell service is not enabled during boot'
+
+description: |-
+    systemd's <tt>debug-shell</tt> service is intended to
+    diagnose systemd related boot issues with various <tt>systemctl</tt>
+    commands. Once enabled and following a system reboot, the root shell
+    will be available on <tt>tty9</tt> which is access by pressing
+    <tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
+    for systemd related issues and should otherwise be disabled.
+    <br /><br />
+    By default, the <tt>debug-shell</tt> systemd service is already disabled.
+
+    Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
+    boot paramenter option.
+
+    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+    doesn't contain the argument <tt>systemd.debug-shell=1</tt>.
+    Run the following command to update command line for already installed kernels:
+    <pre># grubby --update-kernel=ALL --remove-args="systemd.debug-shell"</pre>
+
+rationale: |-
+    This prevents attackers with physical access from trivially bypassing security
+    on the machine through valid troubleshooting configurations and gaining root
+    access when the system is rebooted.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86292-0
+
+references:
+    ospp: FIA_UAU.1
+
+ocil_clause: 'the comand returns a line'
+
+ocil: |-
+    Ensure that debug-shell service is not enabled with the following command:
+    <pre>grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub</pre>
+    If the command returns a line, it means that debug-shell service is being enabled.
+
+fixtext: |-
+    {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}}
+
+platform: machine
+
+template:
+    name: grub2_bootloader_argument_absent
+    vars:
+        arg_name: systemd.debug-shell
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 431b133d416..b7af828fdb0 100644
+--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
+@@ -271,7 +271,6 @@ CCE-86288-8
+ CCE-86289-6
+ CCE-86290-4
+ CCE-86291-2
+-CCE-86292-0
+ CCE-86293-8
+ CCE-86294-6
+ CCE-86295-3
+
+From 14381efdbc869ed9fadc31da1c510d1cf8c1522a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 8 Jul 2022 21:57:52 +0200
+Subject: [PATCH 2/3] Add zipl_systemd_debug-shell_argument_absent
+
+Create rule that ensures systemd.debug-shell=1 is not defined for the
+kernel command line in zIPL.
+---
+ .../ansible/shared.yml                        | 38 ++++++++++++++
+ .../bash/shared.sh                            |  9 ++++
+ .../oval/shared.xml                           | 39 +++++++++++++++
+ .../rule.yml                                  | 50 +++++++++++++++++++
+ .../tests/argument_missing.pass.sh            |  8 +++
+ .../tests/configured_in_cmdline.fail.sh       | 10 ++++
+ .../tests/configured_in_entry.fail.sh         | 11 ++++
+ .../multiple_configured_in_cmdline.fail.sh    |  7 +++
+ shared/references/cce-redhat-avail.txt        |  1 -
+ 9 files changed, 172 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
+ create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
+new file mode 100644
+index 00000000000..790dd88b6b4
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
+@@ -0,0 +1,38 @@
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# reboot = true
+# strategy = configure
+# complexity = medium
+# disruption = low
+
+- name: "Ensure BLS boot entries options contain systemd.debug-shell"
+  block:
+    - name: "Check how many boot entries set systemd.debug-shell"
+      find:
+        paths: "/boot/loader/entries/"
+        contains: "^options .*systemd.debug-shell.*$"
+        patterns: "*.conf"
+      register: n_entries
+
+    - name: "Remove systemd.debug-shell from boot entries"
+      command: grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+      when: n_entries is defined and n_entries.matched >= 1
+
+    - name: "Check if /etc/kernel/cmdline exists"
+      stat:
+        path: /etc/kernel/cmdline
+      register: cmdline_stat
+
+    - name: "Check if /etc/kernel/cmdline contains systemd.debug-shell"
+      find:
+        paths: "/etc/kernel/"
+        patterns: "cmdline"
+        contains: "^.*systemd.debug-shell.*$"
+      register: cmdline_find
+
+    - name: "Remove systemd.debug-shell from /etc/kernel/cmdline"
+      lineinfile:
+        path: "/etc/kernel/cmdline"
+        backrefs: yes
+        regexp: '^(.*)\s*systemd.debug-shell\b\S*(.*)$'
+        line: '\1\2'
+      when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched >= 1
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
+new file mode 100644
+index 00000000000..0d90d58db2c
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
+@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
+grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+
+# Ensure new kernels and boot entries retain the boot option
+if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then
+    sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline
+fi
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
+new file mode 100644
+index 00000000000..1399c6f662f
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
+@@ -0,0 +1,39 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+  {{{ oval_metadata("Ensure systemd.debug-shell option is not configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels won't have this option, it should not be configured in /etc/kernel/cmdline.") }}}
+    <criteria operator="AND">
+      <criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /boot/loader/entries/.*.conf"
+      test_ref="test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" negate="true"/>
+      <criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /etc/kernel/cmdline"
+      test_ref="test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" negate="true"/>
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test id="test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf"
+  comment="Check if argument systemd.debug-shell is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
+  check="at least one" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" />
+    <ind:state state_ref="state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" version="1">
+    <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
+
+  </ind:textfilecontent54_state><ind:textfilecontent54_test id="test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline"
+  comment="Check if argument systemd.debug-shell is present in /etc/kernel/cmdline"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" />
+    <ind:state state_ref="state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" version="1">
+    <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
+new file mode 100644
+index 00000000000..3a442c4eb79
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
+@@ -0,0 +1,50 @@
+documentation_complete: true
+
+prodtype: rhcos4,rhel8,rhel9
+
+title: 'Ensure debug-shell service is not enabled in zIPL'
+
+description: |-
+    systemd's <tt>debug-shell</tt> service is intended to
+    diagnose systemd related boot issues with various <tt>systemctl</tt>
+    commands. Once enabled and following a system reboot, the root shell
+    will be available on <tt>tty9</tt> which is access by pressing
+    <tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
+    for systemd related issues and should otherwise be disabled.
+    <br /><br />
+    By default, the <tt>debug-shell</tt> systemd service is already disabled.
+
+    Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
+    boot paramenter option.
+
+    Check that not boot entries in <tt>/boot/loader/entries/*.conf</tt> have
+    <tt>systemd.debug-shell=1</tt> included in its options.<br />
+    To ensure that new kernels and boot entries don't enable the debug-shell, check
+    that <tt>systemd.debug-shell=1</tt> is not present in <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    This prevents attackers with physical access from trivially bypassing security
+    on the machine through valid troubleshooting configurations and gaining root
+    access when the system is rebooted.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86420-7
+
+references:
+    ospp: FIA_UAU.1
+
+ocil_clause: 'the comand returns a line'
+
+ocil: |-
+    Ensure that debug-shell service is not enabled with the following command:
+    <pre>sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf</pre>
+    No line should be returned, each line returned is a boot entry that enables the debug-shell.
+
+platform: machine
+
+#template:
+#  name: zipl_bls_entries_option_absent
+#  vars:
+#    arg_name: systemd.debug-shell
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
+new file mode 100644
+index 00000000000..4649db979cf
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
+@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries don't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+# Make sure /etc/kernel/cmdline doesn't contain systemd\.debug-shell
+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
+new file mode 100644
+index 00000000000..faac856fbed
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
+@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries doesn't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+# Make sure /etc/kernel/cmdline contains systemd.debug-shell
+if ! grep -qs '^(.*\s)?systemd.debug-shell(\s.*)?$' /etc/kernel/cmdline ; then
+    echo "systemd.debug-shell=1" >> /etc/kernel/cmdline
+fi
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
+new file mode 100644
+index 00000000000..fe07a37d0c3
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
+@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Remove systemd.debug-shell from all boot entries
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+# But make sure one boot loader entry contains systemd.debug-shell
+sed -i '/^options / s/$/ systemd.debug-shell=1/' /boot/loader/entries/*rescue.conf
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+# Make sure /etc/kernel/cmdline doesn't contain systemd.debug-shell
+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
+new file mode 100644
+index 00000000000..0c2febb0370
+--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
+@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries doesn't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+echo "option1 systemd.debug-shell=1 option2" > /etc/kernel/cmdline
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index b7af828fdb0..254fa817f8e 100644
+--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
+@@ -376,7 +376,6 @@ CCE-86416-5
+ CCE-86417-3
+ CCE-86418-1
+ CCE-86419-9
+-CCE-86420-7
+ CCE-86424-9
+ CCE-86425-6
+ CCE-86426-4
+
+From 2af504b656fa0a273df5bb4ce7670310a414b29c Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 7 Jul 2022 09:37:46 +0200
+Subject: [PATCH 3/3] Select grub debug-shell rule in RHEL9 OSPP
+
+---
+ products/rhel9/profiles/ospp.profile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index f902dd5e7cd..f1faaedb812 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -75,6 +75,7 @@ selections:
+     - disable_ctrlaltdel_reboot
+     - disable_ctrlaltdel_burstaction
+     - service_debug-shell_disabled
+    - grub2_systemd_debug-shell_argument_absent
+ 
+     ### umask
+     - var_accounts_user_umask=027
+@@ -380,3 +381,4 @@ selections:
+     - zipl_audit_backlog_limit_argument
+     - zipl_init_on_alloc_argument
+     - zipl_page_alloc_shuffle_argument
+    - zipl_systemd_debug-shell_argument_absent
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -31,6 +31,7 @@ Patch3:                scap-security-guide-0.1.63-sysctl_user_max_user_namespace
 Patch4:                scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch
 Patch5:                scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch
 Patch6:                scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch
+Patch7:                scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch

 %description
 The scap-security-guide project provides a guide for configuration of the
@ -113,6 +114,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 - make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
 - Remove some sysctl rules  related to network from RHEL9 OSPP (RHBZ#2081708)
 - Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
+- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)

 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
 - Rebase to a new upstream release (RHBZ#2070563)