From 11b3fb7bd660511c2b3b3a0c343690eac2374ae7 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 18 Jul 2022 11:01:17 +0200 Subject: [PATCH] add rules to check that systemd.debug-shell argument is absent from boot command line Resolves: rhbz#2092840 --- ..._debug-shell_argument_absent-PR_9100.patch | 369 ++++++++++++++++++ scap-security-guide.spec | 2 + 2 files changed, 371 insertions(+) create mode 100644 scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch diff --git a/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch b/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch new file mode 100644 index 0000000..debaae5 --- /dev/null +++ b/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch @@ -0,0 +1,369 @@ +From 86fcd3db1d66bb846c12a7ecd857ba17734927b0 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 6 Jul 2022 16:55:59 +0200 +Subject: [PATCH 1/3] Add grub2_systemd_debug-shell_argument_absent + +Create rule that ensure that systemd.debug-shell=1 is not defined for +the kernel command line. +--- + .../rule.yml | 51 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 51 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml +new file mode 100644 +index 00000000000..8b6ff3bc333 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml +@@ -0,0 +1,51 @@ ++documentation_complete: true ++ ++title: 'Ensure debug-shell service is not enabled during boot' ++ ++description: |- ++ systemd's debug-shell service is intended to ++ diagnose systemd related boot issues with various systemctl ++ commands. Once enabled and following a system reboot, the root shell ++ will be available on tty9 which is access by pressing ++ CTRL-ALT-F9. The debug-shell service should only be used ++ for systemd related issues and should otherwise be disabled. ++

++ By default, the debug-shell systemd service is already disabled. ++ ++ Ensure the debug-shell is not enabled by the systemd.debug-shel=1 ++ boot paramenter option. ++ ++ Check that the line
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub ++ doesn't contain the argument systemd.debug-shell=1. ++ Run the following command to update command line for already installed kernels: ++
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
++ ++rationale: |- ++ This prevents attackers with physical access from trivially bypassing security ++ on the machine through valid troubleshooting configurations and gaining root ++ access when the system is rebooted. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-86292-0 ++ ++references: ++ ospp: FIA_UAU.1 ++ ++ocil_clause: 'the comand returns a line' ++ ++ocil: |- ++ Ensure that debug-shell service is not enabled with the following command: ++
grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub
++ If the command returns a line, it means that debug-shell service is being enabled. ++ ++fixtext: |- ++ {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}} ++ ++platform: machine ++ ++template: ++ name: grub2_bootloader_argument_absent ++ vars: ++ arg_name: systemd.debug-shell +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 431b133d416..b7af828fdb0 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -271,7 +271,6 @@ CCE-86288-8 + CCE-86289-6 + CCE-86290-4 + CCE-86291-2 +-CCE-86292-0 + CCE-86293-8 + CCE-86294-6 + CCE-86295-3 + +From 14381efdbc869ed9fadc31da1c510d1cf8c1522a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 8 Jul 2022 21:57:52 +0200 +Subject: [PATCH 2/3] Add zipl_systemd_debug-shell_argument_absent + +Create rule that ensures systemd.debug-shell=1 is not defined for the +kernel command line in zIPL. +--- + .../ansible/shared.yml | 38 ++++++++++++++ + .../bash/shared.sh | 9 ++++ + .../oval/shared.xml | 39 +++++++++++++++ + .../rule.yml | 50 +++++++++++++++++++ + .../tests/argument_missing.pass.sh | 8 +++ + .../tests/configured_in_cmdline.fail.sh | 10 ++++ + .../tests/configured_in_entry.fail.sh | 11 ++++ + .../multiple_configured_in_cmdline.fail.sh | 7 +++ + shared/references/cce-redhat-avail.txt | 1 - + 9 files changed, 172 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml +new file mode 100644 +index 00000000000..790dd88b6b4 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml +@@ -0,0 +1,38 @@ ++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 ++# reboot = true ++# strategy = configure ++# complexity = medium ++# disruption = low ++ ++- name: "Ensure BLS boot entries options contain systemd.debug-shell" ++ block: ++ - name: "Check how many boot entries set systemd.debug-shell" ++ find: ++ paths: "/boot/loader/entries/" ++ contains: "^options .*systemd.debug-shell.*$" ++ patterns: "*.conf" ++ register: n_entries ++ ++ - name: "Remove systemd.debug-shell from boot entries" ++ command: grubby --update-kernel=ALL --remove-args="systemd.debug-shell" ++ when: n_entries is defined and n_entries.matched >= 1 ++ ++ - name: "Check if /etc/kernel/cmdline exists" ++ stat: ++ path: /etc/kernel/cmdline ++ register: cmdline_stat ++ ++ - name: "Check if /etc/kernel/cmdline contains systemd.debug-shell" ++ find: ++ paths: "/etc/kernel/" ++ patterns: "cmdline" ++ contains: "^.*systemd.debug-shell.*$" ++ register: cmdline_find ++ ++ - name: "Remove systemd.debug-shell from /etc/kernel/cmdline" ++ lineinfile: ++ path: "/etc/kernel/cmdline" ++ backrefs: yes ++ regexp: '^(.*)\s*systemd.debug-shell\b\S*(.*)$' ++ line: '\1\2' ++ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched >= 1 +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh +new file mode 100644 +index 00000000000..0d90d58db2c +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 ++ ++# Correct BLS option using grubby, which is a thin wrapper around BLS operations ++grubby --update-kernel=ALL --remove-args="systemd.debug-shell" ++ ++# Ensure new kernels and boot entries retain the boot option ++if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then ++ sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline ++fi +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml +new file mode 100644 +index 00000000000..1399c6f662f +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml +@@ -0,0 +1,39 @@ ++ ++ ++ {{{ oval_metadata("Ensure systemd.debug-shell option is not configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels won't have this option, it should not be configured in /etc/kernel/cmdline.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/boot/loader/entries/.*.conf ++ ^options (.*)$ ++ 1 ++ ++ ++ \bsystemd.debug-shell\b ++ ++ ++ ++ ++ ++ ++ ^/etc/kernel/cmdline ++ ^(.*)$ ++ 1 ++ ++ ++ \bsystemd.debug-shell\b ++ ++ +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml +new file mode 100644 +index 00000000000..3a442c4eb79 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml +@@ -0,0 +1,50 @@ ++documentation_complete: true ++ ++prodtype: rhcos4,rhel8,rhel9 ++ ++title: 'Ensure debug-shell service is not enabled in zIPL' ++ ++description: |- ++ systemd's debug-shell service is intended to ++ diagnose systemd related boot issues with various systemctl ++ commands. Once enabled and following a system reboot, the root shell ++ will be available on tty9 which is access by pressing ++ CTRL-ALT-F9. The debug-shell service should only be used ++ for systemd related issues and should otherwise be disabled. ++

++ By default, the debug-shell systemd service is already disabled. ++ ++ Ensure the debug-shell is not enabled by the systemd.debug-shel=1 ++ boot paramenter option. ++ ++ Check that not boot entries in /boot/loader/entries/*.conf have ++ systemd.debug-shell=1 included in its options.
++ To ensure that new kernels and boot entries don't enable the debug-shell, check ++ that systemd.debug-shell=1 is not present in /etc/kernel/cmdline. ++ ++rationale: |- ++ This prevents attackers with physical access from trivially bypassing security ++ on the machine through valid troubleshooting configurations and gaining root ++ access when the system is rebooted. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-86420-7 ++ ++references: ++ ospp: FIA_UAU.1 ++ ++ocil_clause: 'the comand returns a line' ++ ++ocil: |- ++ Ensure that debug-shell service is not enabled with the following command: ++
sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that enables the debug-shell. ++ ++platform: machine ++ ++#template: ++# name: zipl_bls_entries_option_absent ++# vars: ++# arg_name: systemd.debug-shell +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh +new file mode 100644 +index 00000000000..4649db979cf +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++# Make sure boot loader entries don't contain systemd.debug-shell ++sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* ++ ++# Make sure /etc/kernel/cmdline doesn't contain systemd\.debug-shell ++sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh +new file mode 100644 +index 00000000000..faac856fbed +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++# Make sure boot loader entries doesn't contain systemd.debug-shell ++sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* ++ ++# Make sure /etc/kernel/cmdline contains systemd.debug-shell ++if ! grep -qs '^(.*\s)?systemd.debug-shell(\s.*)?$' /etc/kernel/cmdline ; then ++ echo "systemd.debug-shell=1" >> /etc/kernel/cmdline ++fi +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh +new file mode 100644 +index 00000000000..fe07a37d0c3 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++# Remove systemd.debug-shell from all boot entries ++sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* ++# But make sure one boot loader entry contains systemd.debug-shell ++sed -i '/^options / s/$/ systemd.debug-shell=1/' /boot/loader/entries/*rescue.conf ++sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf ++ ++# Make sure /etc/kernel/cmdline doesn't contain systemd.debug-shell ++sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh +new file mode 100644 +index 00000000000..0c2febb0370 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++# Make sure boot loader entries doesn't contain systemd.debug-shell ++sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* ++ ++echo "option1 systemd.debug-shell=1 option2" > /etc/kernel/cmdline +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index b7af828fdb0..254fa817f8e 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -376,7 +376,6 @@ CCE-86416-5 + CCE-86417-3 + CCE-86418-1 + CCE-86419-9 +-CCE-86420-7 + CCE-86424-9 + CCE-86425-6 + CCE-86426-4 + +From 2af504b656fa0a273df5bb4ce7670310a414b29c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 7 Jul 2022 09:37:46 +0200 +Subject: [PATCH 3/3] Select grub debug-shell rule in RHEL9 OSPP + +--- + products/rhel9/profiles/ospp.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index f902dd5e7cd..f1faaedb812 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -75,6 +75,7 @@ selections: + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction + - service_debug-shell_disabled ++ - grub2_systemd_debug-shell_argument_absent + + ### umask + - var_accounts_user_umask=027 +@@ -380,3 +381,4 @@ selections: + - zipl_audit_backlog_limit_argument + - zipl_init_on_alloc_argument + - zipl_page_alloc_shuffle_argument ++ - zipl_systemd_debug-shell_argument_absent diff --git a/scap-security-guide.spec b/scap-security-guide.spec index c72a9a6..fc03bbd 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -31,6 +31,7 @@ Patch3: scap-security-guide-0.1.63-sysctl_user_max_user_namespace Patch4: scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch Patch5: scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch Patch6: scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch +Patch7: scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch %description The scap-security-guide project provides a guide for configuration of the @@ -113,6 +114,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md - make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716) - Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708) - Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809) +- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840) * Wed Jun 01 2022 Matej Tyc - 0.1.62-1 - Rebase to a new upstream release (RHBZ#2070563)