add rules to check that systemd.debug-shell argument is absent from boot command line

Resolves: rhbz#2092840
This commit is contained in:
Vojtech Polasek 2022-07-18 11:01:17 +02:00
parent 2838eb99d0
commit 11b3fb7bd6
2 changed files with 371 additions and 0 deletions

View File

@ -0,0 +1,369 @@
From 86fcd3db1d66bb846c12a7ecd857ba17734927b0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 6 Jul 2022 16:55:59 +0200
Subject: [PATCH 1/3] Add grub2_systemd_debug-shell_argument_absent
Create rule that ensure that systemd.debug-shell=1 is not defined for
the kernel command line.
---
.../rule.yml | 51 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 1 -
2 files changed, 51 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
new file mode 100644
index 00000000000..8b6ff3bc333
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -0,0 +1,51 @@
+documentation_complete: true
+
+title: 'Ensure debug-shell service is not enabled during boot'
+
+description: |-
+ systemd's <tt>debug-shell</tt> service is intended to
+ diagnose systemd related boot issues with various <tt>systemctl</tt>
+ commands. Once enabled and following a system reboot, the root shell
+ will be available on <tt>tty9</tt> which is access by pressing
+ <tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
+ for systemd related issues and should otherwise be disabled.
+ <br /><br />
+ By default, the <tt>debug-shell</tt> systemd service is already disabled.
+
+ Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
+ boot paramenter option.
+
+ Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+ doesn't contain the argument <tt>systemd.debug-shell=1</tt>.
+ Run the following command to update command line for already installed kernels:
+ <pre># grubby --update-kernel=ALL --remove-args="systemd.debug-shell"</pre>
+
+rationale: |-
+ This prevents attackers with physical access from trivially bypassing security
+ on the machine through valid troubleshooting configurations and gaining root
+ access when the system is rebooted.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86292-0
+
+references:
+ ospp: FIA_UAU.1
+
+ocil_clause: 'the comand returns a line'
+
+ocil: |-
+ Ensure that debug-shell service is not enabled with the following command:
+ <pre>grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub</pre>
+ If the command returns a line, it means that debug-shell service is being enabled.
+
+fixtext: |-
+ {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}}
+
+platform: machine
+
+template:
+ name: grub2_bootloader_argument_absent
+ vars:
+ arg_name: systemd.debug-shell
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 431b133d416..b7af828fdb0 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -271,7 +271,6 @@ CCE-86288-8
CCE-86289-6
CCE-86290-4
CCE-86291-2
-CCE-86292-0
CCE-86293-8
CCE-86294-6
CCE-86295-3
From 14381efdbc869ed9fadc31da1c510d1cf8c1522a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 8 Jul 2022 21:57:52 +0200
Subject: [PATCH 2/3] Add zipl_systemd_debug-shell_argument_absent
Create rule that ensures systemd.debug-shell=1 is not defined for the
kernel command line in zIPL.
---
.../ansible/shared.yml | 38 ++++++++++++++
.../bash/shared.sh | 9 ++++
.../oval/shared.xml | 39 +++++++++++++++
.../rule.yml | 50 +++++++++++++++++++
.../tests/argument_missing.pass.sh | 8 +++
.../tests/configured_in_cmdline.fail.sh | 10 ++++
.../tests/configured_in_entry.fail.sh | 11 ++++
.../multiple_configured_in_cmdline.fail.sh | 7 +++
shared/references/cce-redhat-avail.txt | 1 -
9 files changed, 172 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
new file mode 100644
index 00000000000..790dd88b6b4
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
@@ -0,0 +1,38 @@
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# reboot = true
+# strategy = configure
+# complexity = medium
+# disruption = low
+
+- name: "Ensure BLS boot entries options contain systemd.debug-shell"
+ block:
+ - name: "Check how many boot entries set systemd.debug-shell"
+ find:
+ paths: "/boot/loader/entries/"
+ contains: "^options .*systemd.debug-shell.*$"
+ patterns: "*.conf"
+ register: n_entries
+
+ - name: "Remove systemd.debug-shell from boot entries"
+ command: grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+ when: n_entries is defined and n_entries.matched >= 1
+
+ - name: "Check if /etc/kernel/cmdline exists"
+ stat:
+ path: /etc/kernel/cmdline
+ register: cmdline_stat
+
+ - name: "Check if /etc/kernel/cmdline contains systemd.debug-shell"
+ find:
+ paths: "/etc/kernel/"
+ patterns: "cmdline"
+ contains: "^.*systemd.debug-shell.*$"
+ register: cmdline_find
+
+ - name: "Remove systemd.debug-shell from /etc/kernel/cmdline"
+ lineinfile:
+ path: "/etc/kernel/cmdline"
+ backrefs: yes
+ regexp: '^(.*)\s*systemd.debug-shell\b\S*(.*)$'
+ line: '\1\2'
+ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched >= 1
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
new file mode 100644
index 00000000000..0d90d58db2c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
+grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+
+# Ensure new kernels and boot entries retain the boot option
+if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then
+ sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
new file mode 100644
index 00000000000..1399c6f662f
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
@@ -0,0 +1,39 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Ensure systemd.debug-shell option is not configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels won't have this option, it should not be configured in /etc/kernel/cmdline.") }}}
+ <criteria operator="AND">
+ <criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /boot/loader/entries/.*.conf"
+ test_ref="test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" negate="true"/>
+ <criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /etc/kernel/cmdline"
+ test_ref="test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" negate="true"/>
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test id="test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf"
+ comment="Check if argument systemd.debug-shell is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
+ check="at least one" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" />
+ <ind:state state_ref="state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" version="1">
+ <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
+
+ </ind:textfilecontent54_state><ind:textfilecontent54_test id="test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline"
+ comment="Check if argument systemd.debug-shell is present in /etc/kernel/cmdline"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" />
+ <ind:state state_ref="state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" version="1">
+ <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
new file mode 100644
index 00000000000..3a442c4eb79
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
@@ -0,0 +1,50 @@
+documentation_complete: true
+
+prodtype: rhcos4,rhel8,rhel9
+
+title: 'Ensure debug-shell service is not enabled in zIPL'
+
+description: |-
+ systemd's <tt>debug-shell</tt> service is intended to
+ diagnose systemd related boot issues with various <tt>systemctl</tt>
+ commands. Once enabled and following a system reboot, the root shell
+ will be available on <tt>tty9</tt> which is access by pressing
+ <tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
+ for systemd related issues and should otherwise be disabled.
+ <br /><br />
+ By default, the <tt>debug-shell</tt> systemd service is already disabled.
+
+ Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
+ boot paramenter option.
+
+ Check that not boot entries in <tt>/boot/loader/entries/*.conf</tt> have
+ <tt>systemd.debug-shell=1</tt> included in its options.<br />
+ To ensure that new kernels and boot entries don't enable the debug-shell, check
+ that <tt>systemd.debug-shell=1</tt> is not present in <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ This prevents attackers with physical access from trivially bypassing security
+ on the machine through valid troubleshooting configurations and gaining root
+ access when the system is rebooted.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86420-7
+
+references:
+ ospp: FIA_UAU.1
+
+ocil_clause: 'the comand returns a line'
+
+ocil: |-
+ Ensure that debug-shell service is not enabled with the following command:
+ <pre>sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that enables the debug-shell.
+
+platform: machine
+
+#template:
+# name: zipl_bls_entries_option_absent
+# vars:
+# arg_name: systemd.debug-shell
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
new file mode 100644
index 00000000000..4649db979cf
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries don't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+# Make sure /etc/kernel/cmdline doesn't contain systemd\.debug-shell
+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
new file mode 100644
index 00000000000..faac856fbed
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries doesn't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+# Make sure /etc/kernel/cmdline contains systemd.debug-shell
+if ! grep -qs '^(.*\s)?systemd.debug-shell(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "systemd.debug-shell=1" >> /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
new file mode 100644
index 00000000000..fe07a37d0c3
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Remove systemd.debug-shell from all boot entries
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+# But make sure one boot loader entry contains systemd.debug-shell
+sed -i '/^options / s/$/ systemd.debug-shell=1/' /boot/loader/entries/*rescue.conf
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+# Make sure /etc/kernel/cmdline doesn't contain systemd.debug-shell
+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
new file mode 100644
index 00000000000..0c2febb0370
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries doesn't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+echo "option1 systemd.debug-shell=1 option2" > /etc/kernel/cmdline
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index b7af828fdb0..254fa817f8e 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -376,7 +376,6 @@ CCE-86416-5
CCE-86417-3
CCE-86418-1
CCE-86419-9
-CCE-86420-7
CCE-86424-9
CCE-86425-6
CCE-86426-4
From 2af504b656fa0a273df5bb4ce7670310a414b29c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 7 Jul 2022 09:37:46 +0200
Subject: [PATCH 3/3] Select grub debug-shell rule in RHEL9 OSPP
---
products/rhel9/profiles/ospp.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index f902dd5e7cd..f1faaedb812 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -75,6 +75,7 @@ selections:
- disable_ctrlaltdel_reboot
- disable_ctrlaltdel_burstaction
- service_debug-shell_disabled
+ - grub2_systemd_debug-shell_argument_absent
### umask
- var_accounts_user_umask=027
@@ -380,3 +381,4 @@ selections:
- zipl_audit_backlog_limit_argument
- zipl_init_on_alloc_argument
- zipl_page_alloc_shuffle_argument
+ - zipl_systemd_debug-shell_argument_absent

View File

@ -31,6 +31,7 @@ Patch3: scap-security-guide-0.1.63-sysctl_user_max_user_namespace
Patch4: scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch
Patch5: scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch
Patch6: scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch
Patch7: scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch
%description
The scap-security-guide project provides a guide for configuration of the
@ -113,6 +114,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708)
- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070563)