From 14378e5ed660ca398defd716667aa056051ce3ac Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 1 Aug 2022 11:25:54 +0200 Subject: [PATCH] rebase to upstream version 0.1.63 Resolves: rhbz#2070563 Resolves: rhbz#2108158 Resolves: rhbz#2108167 Resolves: rhbz#2108173 Resolves: rhbz#2108224 Resolves: rhbz#2108226 Resolves: rhbz#2109984 Resolves: rhbz#2109992 Resolves: rhbz#2109994 Resolves: rhbz#2110347 Resolves: rhbz#2110350 --- .gitignore | 1 + ..._debug-shell_argument_absent-PR_9100.patch | 369 -------- ...t_access_success_unenforcing-PR_9082.patch | 27 - ...-drop_zipl_vsyscall_argument-PR_9083.patch | 60 -- ...ke_fips_subpolicies_stricter-PR_9149.patch | 30 - ...-remove_network_sysctl_rules-PR_9092.patch | 200 ----- ...uide-0.1.63-remove_nis_rules-PR_9148.patch | 38 - ...syslog_rules_from_rhel9_ospp-PR_9116.patch | 34 - ...ove_rule_login_defs_min_size-PR_9113.patch | 402 --------- ...sshd_enable_strictmodes_ospp-PR_9143.patch | 21 - ...ove_sysctl_proteced_fs_rules-PR_9081.patch | 30 - ...le_for_grub_disable_recovery-PR_9095.patch | 330 ------- ...r_namespaces_enforce_in_ospp-PR_9084.patch | 27 - ...de-0.1.63-update_grub2_macro-PR_8616.patch | 809 ------------------ scap-security-guide.spec | 21 +- sources | 2 +- 16 files changed, 7 insertions(+), 2394 deletions(-) delete mode 100644 scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch delete mode 100644 scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch delete mode 100644 scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch delete mode 100644 scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch delete mode 100644 scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch delete mode 100644 scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch delete mode 100644 scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch delete mode 100644 scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch delete mode 100644 scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch delete mode 100644 scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch delete mode 100644 scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch delete mode 100644 scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch delete mode 100644 scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch diff --git a/.gitignore b/.gitignore index 8a50c85..59351d2 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ /scap-security-guide-0.1.59.tar.bz2 /scap-security-guide-0.1.60.tar.bz2 /scap-security-guide-0.1.62.tar.bz2 +/scap-security-guide-0.1.63.tar.bz2 diff --git a/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch b/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch deleted file mode 100644 index debaae5..0000000 --- a/scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch +++ /dev/null @@ -1,369 +0,0 @@ -From 86fcd3db1d66bb846c12a7ecd857ba17734927b0 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 6 Jul 2022 16:55:59 +0200 -Subject: [PATCH 1/3] Add grub2_systemd_debug-shell_argument_absent - -Create rule that ensure that systemd.debug-shell=1 is not defined for -the kernel command line. ---- - .../rule.yml | 51 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 1 - - 2 files changed, 51 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml -new file mode 100644 -index 00000000000..8b6ff3bc333 ---- /dev/null -+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml -@@ -0,0 +1,51 @@ -+documentation_complete: true -+ -+title: 'Ensure debug-shell service is not enabled during boot' -+ -+description: |- -+ systemd's debug-shell service is intended to -+ diagnose systemd related boot issues with various systemctl -+ commands. Once enabled and following a system reboot, the root shell -+ will be available on tty9 which is access by pressing -+ CTRL-ALT-F9. The debug-shell service should only be used -+ for systemd related issues and should otherwise be disabled. -+

-+ By default, the debug-shell systemd service is already disabled. -+ -+ Ensure the debug-shell is not enabled by the systemd.debug-shel=1 -+ boot paramenter option. -+ -+ Check that the line
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub -+ doesn't contain the argument systemd.debug-shell=1. -+ Run the following command to update command line for already installed kernels: -+
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
-+ -+rationale: |- -+ This prevents attackers with physical access from trivially bypassing security -+ on the machine through valid troubleshooting configurations and gaining root -+ access when the system is rebooted. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel9: CCE-86292-0 -+ -+references: -+ ospp: FIA_UAU.1 -+ -+ocil_clause: 'the comand returns a line' -+ -+ocil: |- -+ Ensure that debug-shell service is not enabled with the following command: -+
grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub
-+ If the command returns a line, it means that debug-shell service is being enabled. -+ -+fixtext: |- -+ {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}} -+ -+platform: machine -+ -+template: -+ name: grub2_bootloader_argument_absent -+ vars: -+ arg_name: systemd.debug-shell -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 431b133d416..b7af828fdb0 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -271,7 +271,6 @@ CCE-86288-8 - CCE-86289-6 - CCE-86290-4 - CCE-86291-2 --CCE-86292-0 - CCE-86293-8 - CCE-86294-6 - CCE-86295-3 - -From 14381efdbc869ed9fadc31da1c510d1cf8c1522a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 8 Jul 2022 21:57:52 +0200 -Subject: [PATCH 2/3] Add zipl_systemd_debug-shell_argument_absent - -Create rule that ensures systemd.debug-shell=1 is not defined for the -kernel command line in zIPL. ---- - .../ansible/shared.yml | 38 ++++++++++++++ - .../bash/shared.sh | 9 ++++ - .../oval/shared.xml | 39 +++++++++++++++ - .../rule.yml | 50 +++++++++++++++++++ - .../tests/argument_missing.pass.sh | 8 +++ - .../tests/configured_in_cmdline.fail.sh | 10 ++++ - .../tests/configured_in_entry.fail.sh | 11 ++++ - .../multiple_configured_in_cmdline.fail.sh | 7 +++ - shared/references/cce-redhat-avail.txt | 1 - - 9 files changed, 172 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml - create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh - create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml - create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml - create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh - create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh - create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh - create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh - -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml -new file mode 100644 -index 00000000000..790dd88b6b4 ---- /dev/null -+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml -@@ -0,0 +1,38 @@ -+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 -+# reboot = true -+# strategy = configure -+# complexity = medium -+# disruption = low -+ -+- name: "Ensure BLS boot entries options contain systemd.debug-shell" -+ block: -+ - name: "Check how many boot entries set systemd.debug-shell" -+ find: -+ paths: "/boot/loader/entries/" -+ contains: "^options .*systemd.debug-shell.*$" -+ patterns: "*.conf" -+ register: n_entries -+ -+ - name: "Remove systemd.debug-shell from boot entries" -+ command: grubby --update-kernel=ALL --remove-args="systemd.debug-shell" -+ when: n_entries is defined and n_entries.matched >= 1 -+ -+ - name: "Check if /etc/kernel/cmdline exists" -+ stat: -+ path: /etc/kernel/cmdline -+ register: cmdline_stat -+ -+ - name: "Check if /etc/kernel/cmdline contains systemd.debug-shell" -+ find: -+ paths: "/etc/kernel/" -+ patterns: "cmdline" -+ contains: "^.*systemd.debug-shell.*$" -+ register: cmdline_find -+ -+ - name: "Remove systemd.debug-shell from /etc/kernel/cmdline" -+ lineinfile: -+ path: "/etc/kernel/cmdline" -+ backrefs: yes -+ regexp: '^(.*)\s*systemd.debug-shell\b\S*(.*)$' -+ line: '\1\2' -+ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched >= 1 -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh -new file mode 100644 -index 00000000000..0d90d58db2c ---- /dev/null -+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh -@@ -0,0 +1,9 @@ -+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 -+ -+# Correct BLS option using grubby, which is a thin wrapper around BLS operations -+grubby --update-kernel=ALL --remove-args="systemd.debug-shell" -+ -+# Ensure new kernels and boot entries retain the boot option -+if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then -+ sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline -+fi -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml -new file mode 100644 -index 00000000000..1399c6f662f ---- /dev/null -+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml -@@ -0,0 +1,39 @@ -+ -+ -+ {{{ oval_metadata("Ensure systemd.debug-shell option is not configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels won't have this option, it should not be configured in /etc/kernel/cmdline.") }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^/boot/loader/entries/.*.conf -+ ^options (.*)$ -+ 1 -+ -+ -+ \bsystemd.debug-shell\b -+ -+ -+ -+ -+ -+ -+ ^/etc/kernel/cmdline -+ ^(.*)$ -+ 1 -+ -+ -+ \bsystemd.debug-shell\b -+ -+ -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml -new file mode 100644 -index 00000000000..3a442c4eb79 ---- /dev/null -+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml -@@ -0,0 +1,50 @@ -+documentation_complete: true -+ -+prodtype: rhcos4,rhel8,rhel9 -+ -+title: 'Ensure debug-shell service is not enabled in zIPL' -+ -+description: |- -+ systemd's debug-shell service is intended to -+ diagnose systemd related boot issues with various systemctl -+ commands. Once enabled and following a system reboot, the root shell -+ will be available on tty9 which is access by pressing -+ CTRL-ALT-F9. The debug-shell service should only be used -+ for systemd related issues and should otherwise be disabled. -+

-+ By default, the debug-shell systemd service is already disabled. -+ -+ Ensure the debug-shell is not enabled by the systemd.debug-shel=1 -+ boot paramenter option. -+ -+ Check that not boot entries in /boot/loader/entries/*.conf have -+ systemd.debug-shell=1 included in its options.
-+ To ensure that new kernels and boot entries don't enable the debug-shell, check -+ that systemd.debug-shell=1 is not present in /etc/kernel/cmdline. -+ -+rationale: |- -+ This prevents attackers with physical access from trivially bypassing security -+ on the machine through valid troubleshooting configurations and gaining root -+ access when the system is rebooted. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel9: CCE-86420-7 -+ -+references: -+ ospp: FIA_UAU.1 -+ -+ocil_clause: 'the comand returns a line' -+ -+ocil: |- -+ Ensure that debug-shell service is not enabled with the following command: -+
sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf
-+ No line should be returned, each line returned is a boot entry that enables the debug-shell. -+ -+platform: machine -+ -+#template: -+# name: zipl_bls_entries_option_absent -+# vars: -+# arg_name: systemd.debug-shell -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh -new file mode 100644 -index 00000000000..4649db979cf ---- /dev/null -+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+# Make sure boot loader entries don't contain systemd.debug-shell -+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* -+ -+# Make sure /etc/kernel/cmdline doesn't contain systemd\.debug-shell -+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh -new file mode 100644 -index 00000000000..faac856fbed ---- /dev/null -+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+# Make sure boot loader entries doesn't contain systemd.debug-shell -+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* -+ -+# Make sure /etc/kernel/cmdline contains systemd.debug-shell -+if ! grep -qs '^(.*\s)?systemd.debug-shell(\s.*)?$' /etc/kernel/cmdline ; then -+ echo "systemd.debug-shell=1" >> /etc/kernel/cmdline -+fi -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh -new file mode 100644 -index 00000000000..fe07a37d0c3 ---- /dev/null -+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+# Remove systemd.debug-shell from all boot entries -+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* -+# But make sure one boot loader entry contains systemd.debug-shell -+sed -i '/^options / s/$/ systemd.debug-shell=1/' /boot/loader/entries/*rescue.conf -+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf -+ -+# Make sure /etc/kernel/cmdline doesn't contain systemd.debug-shell -+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true -diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh -new file mode 100644 -index 00000000000..0c2febb0370 ---- /dev/null -+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+# Make sure boot loader entries doesn't contain systemd.debug-shell -+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/* -+ -+echo "option1 systemd.debug-shell=1 option2" > /etc/kernel/cmdline -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index b7af828fdb0..254fa817f8e 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -376,7 +376,6 @@ CCE-86416-5 - CCE-86417-3 - CCE-86418-1 - CCE-86419-9 --CCE-86420-7 - CCE-86424-9 - CCE-86425-6 - CCE-86426-4 - -From 2af504b656fa0a273df5bb4ce7670310a414b29c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 7 Jul 2022 09:37:46 +0200 -Subject: [PATCH 3/3] Select grub debug-shell rule in RHEL9 OSPP - ---- - products/rhel9/profiles/ospp.profile | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index f902dd5e7cd..f1faaedb812 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -75,6 +75,7 @@ selections: - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction - - service_debug-shell_disabled -+ - grub2_systemd_debug-shell_argument_absent - - ### umask - - var_accounts_user_umask=027 -@@ -380,3 +381,4 @@ selections: - - zipl_audit_backlog_limit_argument - - zipl_init_on_alloc_argument - - zipl_page_alloc_shuffle_argument -+ - zipl_systemd_debug-shell_argument_absent diff --git a/scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch b/scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch deleted file mode 100644 index f952658..0000000 --- a/scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch +++ /dev/null @@ -1,27 +0,0 @@ -From fd1f968504765db0ba5c32ac50058d7a05242343 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 1 Jul 2022 14:35:56 +0200 -Subject: [PATCH] Make rule audit_access_success in OSPP profile unenforcing - -Set severity to info and role to unscored, because the rule -creates an audit rule that creates generating huge amounts -of audit records generated. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2058154 ---- - products/rhel9/profiles/ospp.profile | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 1fad0031749..8e54ae4281d 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -372,6 +372,8 @@ selections: - - audit_modify_success - - audit_access_failed - - audit_access_success -+ - audit_access_success.severity=info -+ - audit_access_success.role=unscored - - audit_delete_failed - - audit_delete_success - - audit_perm_change_failed diff --git a/scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch b/scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch deleted file mode 100644 index 2314eaf..0000000 --- a/scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b44f64edb4ff2631c7cda02866a07f1eb8888073 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 1 Jul 2022 14:55:53 +0200 -Subject: [PATCH] Remove rule zip_vsyscall_argument - -According to -https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html?highlight=vsyscall -vsyscall is applicable to X86-64 but ZIPl is used only on -s390x on RHEL, and likely on other OSes as well. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2060049 ---- - products/rhel8/profiles/ospp.profile | 3 --- - products/rhel9/profiles/ospp.profile | 1 - - tests/data/profile_stability/rhel8/ospp.profile | 3 --- - 3 files changed, 7 deletions(-) - -diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index e6a0dd75020..235ab3dcfad 100644 ---- a/products/rhel8/profiles/ospp.profile -+++ b/products/rhel8/profiles/ospp.profile -@@ -437,6 +437,3 @@ selections: - - zipl_audit_backlog_limit_argument - - zipl_slub_debug_argument - - zipl_page_poison_argument -- - zipl_vsyscall_argument -- - zipl_vsyscall_argument.role=unscored -- - zipl_vsyscall_argument.severity=info -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 1fad0031749..c5a291d5c69 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -406,6 +406,5 @@ selections: - - zipl_bootmap_is_up_to_date - - zipl_audit_argument - - zipl_audit_backlog_limit_argument -- - zipl_vsyscall_argument - - zipl_init_on_alloc_argument - - zipl_page_alloc_shuffle_argument -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index f2a56411e6f..5757acf030e 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -233,7 +233,6 @@ selections: - - zipl_bootmap_is_up_to_date - - zipl_page_poison_argument - - zipl_slub_debug_argument --- zipl_vsyscall_argument - - var_sshd_set_keepalive=0 - - var_rekey_limit_size=1G - - var_rekey_limit_time=1hour -@@ -265,8 +264,6 @@ selections: - - grub2_vsyscall_argument.severity=info - - sysctl_user_max_user_namespaces.role=unscored - - sysctl_user_max_user_namespaces.severity=info --- zipl_vsyscall_argument.role=unscored --- zipl_vsyscall_argument.severity=info - platforms: !!set {} - cpe_names: !!set {} - platform: null diff --git a/scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch b/scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch deleted file mode 100644 index 66b2b40..0000000 --- a/scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 402df0b7dff60a71ed546f025f0a0374fe744605 Mon Sep 17 00:00:00 2001 -From: Matej Tyc -Date: Thu, 14 Jul 2022 17:28:00 +0200 -Subject: [PATCH] Reduce the list of FIPS crypto policies - -RHEL9 and newer systems have no reasons to recognize FIPS crypto policies with modifiers -as FIPS, except the FIPS:OSPP. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057082 ---- - .../software/integrity/fips/enable_fips_mode/oval/shared.xml | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -index 7cf1de346a7..65056a654c6 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -@@ -21,7 +21,12 @@ - var_system_crypto_policy - - -+ {{% if product in ["ol9","rhel9"] -%}} -+ ^FIPS(:OSPP)?$ -+ {{%- else %}} -+ {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}} - ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$ -+ {{%- endif %}} - - - diff --git a/scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch b/scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch deleted file mode 100644 index c7f18c6..0000000 --- a/scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 2940804e45b98060428593218d352b0ff2d1e2bc Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 4 Jul 2022 13:52:01 +0200 -Subject: [PATCH 1/7] RHEL9 OSPP: Drop rules w/o specific need aligned with - default value - -Remove rules that just reenforce RHEL9 default without specific -OSPP requirement. ---- - products/rhel9/profiles/ospp.profile | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 534b3312575..6b57dcdeeb7 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -78,20 +78,12 @@ selections: - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_default_accept_redirects -- - sysctl_net_ipv4_conf_all_accept_source_route -- - sysctl_net_ipv4_conf_default_accept_source_route -- - sysctl_net_ipv6_conf_all_accept_source_route -- - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_default_log_martians -- - sysctl_net_ipv4_conf_all_rp_filter -- - sysctl_net_ipv4_conf_default_rp_filter -- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv4_tcp_syncookies - - -From 4215e69c3264404b4f8597bb12536ddf9f95fe59 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 4 Jul 2022 13:58:24 +0200 -Subject: [PATCH 2/7] RHEL9 OSPP: Drop rules affecting important funcionality - -The TCP SYN cookikes rules may prevent some TCP options from working; -and without accepting Router Advertisements, ability of hosts to use -IPv6 becomes severely limited. ---- - products/rhel9/profiles/ospp.profile | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 6b57dcdeeb7..d0000be5041 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -72,8 +72,6 @@ selections: - - chronyd_client_only - - ### Network Settings -- - sysctl_net_ipv6_conf_all_accept_ra -- - sysctl_net_ipv6_conf_default_accept_ra - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv6_conf_all_accept_redirects -@@ -85,7 +83,6 @@ selections: - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_ip_forward -- - sysctl_net_ipv4_tcp_syncookies - - ### systemd - - disable_ctrlaltdel_reboot - -From 10a621b7fc934a81080632159b61328e303f39cf Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 4 Jul 2022 14:01:41 +0200 -Subject: [PATCH 3/7] RHEL9 OSPP: Drop rules changing default values not - related to OSPP - -Removes rules that change RHEL9 default values but are not related to -any specific OSPP requirement ---- - products/rhel9/profiles/ospp.profile | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index d0000be5041..e9dbb8bc7bd 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -72,10 +72,6 @@ selections: - - chronyd_client_only - - ### Network Settings -- - sysctl_net_ipv4_conf_all_accept_redirects -- - sysctl_net_ipv4_conf_default_accept_redirects -- - sysctl_net_ipv6_conf_all_accept_redirects -- - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_all_send_redirects - -From 1710015450a9b6780be2f5ed363c893d437f923d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 4 Jul 2022 14:03:53 +0200 -Subject: [PATCH 4/7] RHEL9 OSPP: Drop send redirect rules that don't affect - the TOE - -Remove rules that changes the default value but don't impact the -security of the TOE in any way. ---- - products/rhel9/profiles/ospp.profile | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index e9dbb8bc7bd..159170d5ff9 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -74,8 +74,6 @@ selections: - ### Network Settings - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects -- - sysctl_net_ipv4_conf_all_send_redirects -- - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_ip_forward - -From 6d4bc8ef333a361a9c1149be44fa0796f81fa7dc Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 4 Jul 2022 14:05:22 +0200 -Subject: [PATCH 5/7] RHEL9 OSPP: Remove rules that affect secuity of TOE - -Sysctl allows redirects only when they are considered secure. ---- - products/rhel9/profiles/ospp.profile | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 159170d5ff9..771daed43e2 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -72,8 +72,6 @@ selections: - - chronyd_client_only - - ### Network Settings -- - sysctl_net_ipv4_conf_all_secure_redirects -- - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_ip_forward - -From 8e1bedea2fd0740ee7d25cb028af1d8031fc6710 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 4 Jul 2022 14:08:47 +0200 -Subject: [PATCH 6/7] RHEL9 OSPP: Drop log martians rules - -Remove rules that might help with detecting network issues but not -related to TOE security. ---- - products/rhel9/profiles/ospp.profile | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 771daed43e2..58702502bf4 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -72,8 +72,6 @@ selections: - - chronyd_client_only - - ### Network Settings -- - sysctl_net_ipv4_conf_all_log_martians -- - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_ip_forward - - ### systemd - -From 7ffc1fb101edc8f29ace5c9e84d3f39e2a3cbfae Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 4 Jul 2022 14:09:57 +0200 -Subject: [PATCH 7/7] RHEL9 OSPP: Drop rule preventing forwarding - -Remove rule that prevents routing which is a valid use-case. -This is also needed for containerized and VM-hosting setups. ---- - products/rhel9/profiles/ospp.profile | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 58702502bf4..c9e944b32d2 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -71,9 +71,6 @@ selections: - # Time Server - - chronyd_client_only - -- ### Network Settings -- - sysctl_net_ipv4_ip_forward -- - ### systemd - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction diff --git a/scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch b/scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch deleted file mode 100644 index 1356627..0000000 --- a/scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0d1803f0bfd793ff6038d05430d1ffa6ecdf073d Mon Sep 17 00:00:00 2001 -From: Matej Tyc -Date: Thu, 14 Jul 2022 17:06:50 +0200 -Subject: [PATCH] Remove yp-related rules from RHEL9 - -The package is not supported on that system: -https://access.redhat.com/solutions/5991271 - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2096602 ---- - .../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +- - .../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -index 9be95ffed5c..d8a3910ff4d 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 - - title: 'Remove NIS Client' - -diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -index dc9a2dfb987..0e260a846d1 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019 -+prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 - - title: 'Uninstall ypserv Package' - diff --git a/scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch b/scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch deleted file mode 100644 index 0dfeb67..0000000 --- a/scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f5a025d27828e9685478fa54a7a6e510ead44bea Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 10:49:25 +0200 -Subject: [PATCH] remove rules from rhel9 ospp profile - ---- - products/rhel9/profiles/ospp.profile | 7 ------- - 1 file changed, 7 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index f902dd5e7cd..c9c4c1a33c8 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -146,9 +146,6 @@ selections: - - package_openssh-server_installed - - package_openssh-clients_installed - - package_policycoreutils-python-utils_installed -- - package_rsyslog_installed -- - package_rsyslog-gnutls_installed -- - package_audispd-plugins_installed - - package_chrony_installed - - package_gnutls-utils_installed - -@@ -364,10 +361,6 @@ selections: - # Enable dnf-automatic Timer - - timer_dnf-automatic_enabled - -- # Configure TLS for remote logging -- - rsyslog_remote_tls -- - rsyslog_remote_tls_cacert -- - # Prevent Kerberos use by system daemons - - kerberos_disable_no_keytab - diff --git a/scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch b/scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch deleted file mode 100644 index 310fb32..0000000 --- a/scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch +++ /dev/null @@ -1,402 +0,0 @@ -From d0ea0f62dcf91041afb6de4d282aa2001cc2a449 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 4 Jul 2022 16:39:06 +0200 -Subject: [PATCH 1/7] remove rule and variable from RHEL9 profiles - ---- - products/rhel9/profiles/ospp.profile | 2 -- - products/rhel9/profiles/stig.profile | 4 ---- - 2 files changed, 6 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index c9e944b32d2..0abd2e4f2ff 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -211,8 +211,6 @@ selections: - - ## Configure Minimum Password Length to 12 Characters - ## IA-5 (1)(a) / FMT_MOF_EXT.1 -- - var_accounts_password_minlen_login_defs=12 -- - accounts_password_minlen_login_defs - - var_password_pam_minlen=12 - - accounts_password_pam_minlen - -diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile -index 55520623e8c..a130580acc5 100644 ---- a/products/rhel9/profiles/stig.profile -+++ b/products/rhel9/profiles/stig.profile -@@ -42,7 +42,6 @@ selections: - - var_password_pam_remember_control_flag=required - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted -- - var_accounts_password_minlen_login_defs=15 - - var_password_pam_unix_rounds=5000 - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 -@@ -578,9 +577,6 @@ selections: - # RHEL-08-020230 - - accounts_password_pam_minlen - -- # RHEL-08-020231 -- - accounts_password_minlen_login_defs -- - # RHEL-08-020240 - - account_unique_id - - -From ecbb5502adefc3ad5adffb277334bca2e332a86b Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 4 Jul 2022 16:39:22 +0200 -Subject: [PATCH 2/7] remove rule and variable from RHEL8 profiles - ---- - products/rhel8/profiles/cjis.profile | 1 - - products/rhel8/profiles/ospp.profile | 2 -- - products/rhel8/profiles/rht-ccp.profile | 2 -- - products/rhel8/profiles/stig.profile | 4 ---- - 4 files changed, 9 deletions(-) - -diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile -index 96e0aaeee79..30843b692ef 100644 ---- a/products/rhel8/profiles/cjis.profile -+++ b/products/rhel8/profiles/cjis.profile -@@ -63,7 +63,6 @@ selections: - - accounts_password_all_shadowed - - no_empty_passwords - - display_login_attempts -- - var_accounts_password_minlen_login_defs=12 - - var_accounts_maximum_age_login_defs=90 - - var_password_pam_unix_remember=10 - - var_account_disable_post_pw_expiration=0 -diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index 235ab3dcfad..39ad1797c7a 100644 ---- a/products/rhel8/profiles/ospp.profile -+++ b/products/rhel8/profiles/ospp.profile -@@ -264,8 +264,6 @@ selections: - - ## Configure Minimum Password Length to 12 Characters - ## IA-5 (1)(a) / FMT_MOF_EXT.1 -- - var_accounts_password_minlen_login_defs=12 -- - accounts_password_minlen_login_defs - - var_password_pam_minlen=12 - - accounts_password_pam_minlen - -diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile -index 3b747fdecc8..e8e7e3a72f2 100644 ---- a/products/rhel8/profiles/rht-ccp.profile -+++ b/products/rhel8/profiles/rht-ccp.profile -@@ -14,7 +14,6 @@ selections: - - file_owner_logfiles_value=root - - file_groupowner_logfiles_value=root - - sshd_idle_timeout_value=5_minutes -- - var_accounts_password_minlen_login_defs=6 - - var_accounts_minimum_age_login_defs=7 - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_password_warn_age_login_defs=7 -@@ -43,7 +42,6 @@ selections: - - no_empty_passwords - - accounts_password_all_shadowed - - accounts_no_uid_except_zero -- - accounts_password_minlen_login_defs - - accounts_minimum_age_login_defs - - accounts_password_warn_age_login_defs - - accounts_password_pam_retry -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index e6923824c79..9fb371d701a 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -41,7 +41,6 @@ selections: - - var_password_pam_remember_control_flag=required - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted -- - var_accounts_password_minlen_login_defs=15 - - var_password_pam_unix_rounds=5000 - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 -@@ -607,9 +606,6 @@ selections: - # RHEL-08-020230 - - accounts_password_pam_minlen - -- # RHEL-08-020231 -- - accounts_password_minlen_login_defs -- - # RHEL-08-020240 - - account_unique_id - - -From 38897e5e5ff44cc442aa3b0a7e8046c42547fafd Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 4 Jul 2022 16:39:37 +0200 -Subject: [PATCH 3/7] remove rule and variable from RHEL7 profiles - ---- - products/rhel7/profiles/cjis.profile | 1 - - products/rhel7/profiles/ncp.profile | 1 - - products/rhel7/profiles/ospp.profile | 2 -- - products/rhel7/profiles/rhelh-stig.profile | 2 -- - products/rhel7/profiles/rht-ccp.profile | 2 -- - 5 files changed, 8 deletions(-) - -diff --git a/products/rhel7/profiles/cjis.profile b/products/rhel7/profiles/cjis.profile -index 35bc9c27ee7..fceccdac77d 100644 ---- a/products/rhel7/profiles/cjis.profile -+++ b/products/rhel7/profiles/cjis.profile -@@ -63,7 +63,6 @@ selections: - - accounts_password_all_shadowed - - no_empty_passwords - - display_login_attempts -- - var_accounts_password_minlen_login_defs=12 - - var_accounts_maximum_age_login_defs=90 - - var_password_pam_unix_remember=10 - - var_account_disable_post_pw_expiration=0 -diff --git a/products/rhel7/profiles/ncp.profile b/products/rhel7/profiles/ncp.profile -index db7fa8ff7b9..4761a6cebc2 100644 ---- a/products/rhel7/profiles/ncp.profile -+++ b/products/rhel7/profiles/ncp.profile -@@ -285,7 +285,6 @@ selections: - - var_account_disable_post_pw_expiration=35 - - var_accounts_maximum_age_login_defs=60 - - var_accounts_minimum_age_login_defs=7 -- - var_accounts_password_minlen_login_defs=6 - - var_accounts_password_warn_age_login_defs=7 - - var_accounts_tmout=10_min - - var_password_pam_difok=8 -diff --git a/products/rhel7/profiles/ospp.profile b/products/rhel7/profiles/ospp.profile -index 0d84cec4fb0..2ab41bad0bc 100644 ---- a/products/rhel7/profiles/ospp.profile -+++ b/products/rhel7/profiles/ospp.profile -@@ -180,8 +180,6 @@ selections: - - ## Configure Minimum Password Length to 12 Characters - ## IA-5 (1)(a) / FMT_MOF_EXT.1 -- - var_accounts_password_minlen_login_defs=12 -- - accounts_password_minlen_login_defs - - var_password_pam_minlen=12 - - accounts_password_pam_minlen - -diff --git a/products/rhel7/profiles/rhelh-stig.profile b/products/rhel7/profiles/rhelh-stig.profile -index 98be35b146e..13c175d5b80 100644 ---- a/products/rhel7/profiles/rhelh-stig.profile -+++ b/products/rhel7/profiles/rhelh-stig.profile -@@ -13,7 +13,6 @@ selections: - - inactivity_timeout_value=15_minutes - - var_password_pam_minlen=15 - - accounts_password_pam_minlen -- - accounts_password_minlen_login_defs - - var_password_pam_ocredit=1 - - accounts_password_pam_ocredit - - var_password_pam_dcredit=1 -@@ -330,7 +329,6 @@ selections: - - var_accounts_max_concurrent_login_sessions=10 - - var_accounts_maximum_age_login_defs=60 - - var_accounts_minimum_age_login_defs=7 -- - var_accounts_password_minlen_login_defs=6 - - var_accounts_password_warn_age_login_defs=7 - - var_accounts_tmout=10_min - - var_password_pam_difok=8 -diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile -index 13f79781d6e..12a3a25013a 100644 ---- a/products/rhel7/profiles/rht-ccp.profile -+++ b/products/rhel7/profiles/rht-ccp.profile -@@ -14,7 +14,6 @@ selections: - - file_owner_logfiles_value=root - - file_groupowner_logfiles_value=root - - sshd_idle_timeout_value=5_minutes -- - var_accounts_password_minlen_login_defs=6 - - var_accounts_minimum_age_login_defs=7 - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_password_warn_age_login_defs=7 -@@ -43,7 +42,6 @@ selections: - - no_empty_passwords - - accounts_password_all_shadowed - - accounts_no_uid_except_zero -- - accounts_password_minlen_login_defs - - accounts_minimum_age_login_defs - - accounts_password_warn_age_login_defs - - accounts_password_pam_retry - -From f513f5c2ce4d799a64c0535174aba21fbb5bd958 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 4 Jul 2022 16:39:51 +0200 -Subject: [PATCH 4/7] remove rule and variable from Fedora profiles - ---- - products/fedora/profiles/ospp.profile | 1 - - products/fedora/profiles/standard.profile | 2 -- - 2 files changed, 3 deletions(-) - -diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile -index 49bb4bf8529..42a17b419a2 100644 ---- a/products/fedora/profiles/ospp.profile -+++ b/products/fedora/profiles/ospp.profile -@@ -29,7 +29,6 @@ selections: - - var_selinux_state=enforcing - - var_password_pam_minlen=12 - - accounts_password_pam_minlen -- - accounts_password_minlen_login_defs - - var_password_pam_ocredit=1 - - accounts_password_pam_ocredit - - var_password_pam_dcredit=1 -diff --git a/products/fedora/profiles/standard.profile b/products/fedora/profiles/standard.profile -index 37087083996..ffd385fb7ce 100644 ---- a/products/fedora/profiles/standard.profile -+++ b/products/fedora/profiles/standard.profile -@@ -26,8 +26,6 @@ selections: - - accounts_password_all_shadowed - - gid_passwd_group_same - - no_netrc_files -- - var_accounts_password_minlen_login_defs=12 -- - accounts_password_minlen_login_defs - - var_accounts_minimum_age_login_defs=7 - - accounts_minimum_age_login_defs - - var_accounts_maximum_age_login_defs=90 - -From 8dc814b2ae523c13fa6ed117e5b4e1e78b813f8c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 4 Jul 2022 16:40:06 +0200 -Subject: [PATCH 5/7] remove rule and variable from control files - ---- - controls/anssi.yml | 3 --- - controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml | 2 -- - controls/stig_rhel8.yml | 4 +--- - 3 files changed, 1 insertion(+), 8 deletions(-) - -diff --git a/controls/anssi.yml b/controls/anssi.yml -index 549ae2994ca..ed840cc5292 100644 ---- a/controls/anssi.yml -+++ b/controls/anssi.yml -@@ -343,9 +343,6 @@ controls: - # Ensure passwords with minimum of 18 characters - - var_password_pam_minlen=18 - - accounts_password_pam_minlen -- # Enforce password lenght for new accounts -- - var_accounts_password_minlen_login_defs=18 -- - accounts_password_minlen_login_defs - # Require at Least 1 Special Character in Password - - var_password_pam_ocredit=1 - - accounts_password_pam_ocredit -diff --git a/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml b/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml -index 85ae75210ba..ed2aa7ed196 100644 ---- a/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml -+++ b/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml -@@ -6,7 +6,5 @@ controls: - rules: - - accounts_password_pam_enforce_root - - accounts_password_pam_minlen -- - accounts_password_minlen_login_defs - - var_password_pam_minlen=15 -- - var_accounts_password_minlen_login_defs=15 - status: automated -diff --git a/controls/stig_rhel8.yml b/controls/stig_rhel8.yml -index 4e2d27c3910..d866b194a0f 100644 ---- a/controls/stig_rhel8.yml -+++ b/controls/stig_rhel8.yml -@@ -1140,9 +1140,7 @@ controls: - levels: - - medium - title: RHEL 8 passwords for new users must have a minimum of 15 characters. -- rules: -- - accounts_password_minlen_login_defs -- status: automated -+ status: inherently met - - id: RHEL-08-020240 - levels: - - medium - -From 23b296d8428d6e8f9dd16cf7b0c37a469f904ce8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 4 Jul 2022 16:41:15 +0200 -Subject: [PATCH 6/7] update profile stability tests - ---- - tests/data/profile_stability/rhel8/ospp.profile | 2 -- - tests/data/profile_stability/rhel8/stig.profile | 2 -- - tests/data/profile_stability/rhel8/stig_gui.profile | 2 -- - 3 files changed, 6 deletions(-) - -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 5757acf030e..5d73a8c6fef 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -23,7 +23,6 @@ metadata: - reference: https://www.niap-ccevs.org/Profile/PP.cfm - selections: - - accounts_max_concurrent_login_sessions --- accounts_password_minlen_login_defs - - accounts_password_pam_dcredit - - accounts_password_pam_difok - - accounts_password_pam_lcredit -@@ -248,7 +247,6 @@ selections: - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted - - var_system_crypto_policy=fips_ospp --- var_accounts_password_minlen_login_defs=12 - - var_password_pam_minlen=12 - - var_password_pam_ocredit=1 - - var_password_pam_dcredit=1 -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 5a304768288..9c9ceae6b2c 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -42,7 +42,6 @@ selections: - - accounts_minimum_age_login_defs - - accounts_no_uid_except_zero - - accounts_password_all_shadowed_sha512 --- accounts_password_minlen_login_defs - - accounts_password_pam_dcredit - - accounts_password_pam_dictcheck - - accounts_password_pam_difok -@@ -429,7 +428,6 @@ selections: - - var_password_pam_remember_control_flag=required - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted --- var_accounts_password_minlen_login_defs=15 - - var_password_pam_unix_rounds=5000 - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 -diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index 98bfa495ad1..f6a66f6069b 100644 ---- a/tests/data/profile_stability/rhel8/stig_gui.profile -+++ b/tests/data/profile_stability/rhel8/stig_gui.profile -@@ -53,7 +53,6 @@ selections: - - accounts_minimum_age_login_defs - - accounts_no_uid_except_zero - - accounts_password_all_shadowed_sha512 --- accounts_password_minlen_login_defs - - accounts_password_pam_dcredit - - accounts_password_pam_dictcheck - - accounts_password_pam_difok -@@ -437,7 +436,6 @@ selections: - - var_password_pam_remember_control_flag=required - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted --- var_accounts_password_minlen_login_defs=15 - - var_password_pam_unix_rounds=5000 - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 - -From 0763b1aa2a5e4ee043d0ff2e30ef71d122d58e0d Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 4 Jul 2022 16:41:33 +0200 -Subject: [PATCH 7/7] remove no longer applicable references from the rule - ---- - .../accounts_password_minlen_login_defs/rule.yml | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -index 49a7816b8cc..fdd851043bc 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -@@ -45,10 +45,8 @@ references: - iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 - nist: IA-5(f),IA-5(1)(a),CM-6(a) - nist-csf: PR.AC-1,PR.AC-6,PR.AC-7 -- ospp: FMT_MOF_EXT.1 - srg: SRG-OS-000078-GPOS-00046 - stigid@ol8: OL08-00-020231 -- stigid@rhel8: RHEL-08-020231 - - ocil_clause: 'it is not set to the required value' - diff --git a/scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch b/scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch deleted file mode 100644 index 8243bf1..0000000 --- a/scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch +++ /dev/null @@ -1,21 +0,0 @@ -From a607fe9715106b88511fd664b320ee63f6497ede Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 13 Jul 2022 14:07:25 +0200 -Subject: [PATCH] remove rule from rhel9 ospp - ---- - products/rhel9/profiles/ospp.profile | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 75e5b0f5ed4..4ba874db90f 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -58,7 +58,6 @@ selections: - # sshd - - sshd_use_directory_configuration - - sshd_disable_root_login -- - sshd_enable_strictmodes - - disable_host_auth - - sshd_disable_empty_passwords - - sshd_disable_kerb_auth diff --git a/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch b/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch deleted file mode 100644 index 271f117..0000000 --- a/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 5b0ff05c2377a8a8a5ef13d34fc71ce0587ed6df Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 1 Jul 2022 13:04:48 +0200 -Subject: [PATCH] Remove sysctl_fs_protected_* rules from RHEL 9 OSPP - -The sysctl_fs_protected_hardlinks and sysctl_fs_protected_symlinks rules -reenforce the RHEL 9 default value. While that protection is useful, -there is no specific OSPP SFR or other reason for the SCAP rules in the -OSPP profile. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2081719 ---- - products/rhel9/profiles/ospp.profile | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 1fad0031749..5536dd7b2b6 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -141,10 +141,6 @@ selections: - - sysctl_net_core_bpf_jit_harden - - service_kdump_disabled - -- ## File System Settings -- - sysctl_fs_protected_hardlinks -- - sysctl_fs_protected_symlinks -- - ### Audit - - service_auditd_enabled - - var_auditd_flush=incremental_async diff --git a/scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch b/scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch deleted file mode 100644 index b4194f7..0000000 --- a/scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch +++ /dev/null @@ -1,330 +0,0 @@ -From d303ee9d0dcdf1d1fa57b50454aa2a9692381e93 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 4 Jul 2022 15:46:31 +0200 -Subject: [PATCH 1/5] Create rule grub2_disable_recovery - -Create a rule that only checks for the GRUB_DISABLE_RECOVERY=true -option in /etc/default/grub. The rule is similar to -grub2_disable_interactive_boot, but that one in addition checks -for systemd.confirm_spawn. This is introduced for OSPP. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809 ---- - .../grub2_disable_recovery/ansible/shared.yml | 20 +++++++++ - .../grub2_disable_recovery/bash/shared.sh | 13 ++++++ - .../grub2_disable_recovery/oval/shared.xml | 9 ++++ - .../grub2_disable_recovery/rule.yml | 43 +++++++++++++++++++ - .../tests/correct_value.pass.sh | 3 ++ - .../tests/wrong_value.fail.sh | 3 ++ - shared/references/cce-redhat-avail.txt | 1 - - 7 files changed, 91 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml - create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh - create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml - create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml - create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh - create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml -new file mode 100644 -index 00000000000..f6285cb13cb ---- /dev/null -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml -@@ -0,0 +1,20 @@ -+# platform = multi_platform_all -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: Verify GRUB_DISABLE_RECOVERY=true -+ lineinfile: -+ path: /etc/default/grub -+ regexp: '^GRUB_DISABLE_RECOVERY=.*' -+ line: 'GRUB_DISABLE_RECOVERY=true' -+ state: present -+ -+{{% if product in ['sle12', 'sle15'] %}} -+- name: Update grub defaults and the bootloader menu -+ command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg -+{{% else %}} -+- name: Update grub defaults and the bootloader menu -+ command: /sbin/grubby --update-kernel=ALL -+{{% endif -%}} -\ No newline at end of file -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh -new file mode 100644 -index 00000000000..78322e63446 ---- /dev/null -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh -@@ -0,0 +1,13 @@ -+# platform = multi_platform_all -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then -+ sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub" -+else -+ echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' -+fi -+ -+{{{ grub_command("update") }}} -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml -new file mode 100644 -index 00000000000..10adbe0a30b ---- /dev/null -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml -@@ -0,0 +1,9 @@ -+ -+ -+ {{{ oval_metadata("Recovery mode should be disabled.") }}} -+ -+ -+ -+ -+ -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -new file mode 100644 -index 00000000000..4f8d4ddcfde ---- /dev/null -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -@@ -0,0 +1,43 @@ -+documentation_complete: true -+ -+title: 'Disable Recovery Booting' -+ -+description: |- -+ {{{ full_name }}} systems support an "recovery boot" option that can be used -+ to prevent services from being started. The GRUB_DISABLE_RECOVERY -+ configuration option in /etc/default/grub should be set to -+ true to disable the generation of recovery mode menu entries. It is -+ also required to change the runtime configuration, run: -+
$ sudo {{{ grub_command("update") }}}
-+ -+rationale: |- -+ Using recovery boot, the console user could disable auditing, firewalls, -+ or other services, weakening system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel9: CCE-85986-8 -+ -+references: -+ ospp: FIA_UAU.1 -+ -+ocil_clause: 'GRUB_DISABLE_RECOVERY is not set to true or is missing' -+ -+ocil: |- -+ Verify that GRUB_DISABLE_RECOVERY is set to true in /etc/default/grub to disable recovery boot. -+ Run the following command: -+ -+ $ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub -+ -+fixtext: |- -+ Configure the GRUB 2 boot loader to disable recovery mode boot loader entries. -+ Add or edit the following line in /etc/default/grub: -+ -+ GRUB_DISABLE_RECOVERY=true -+ -+ Then, run the following command: -+ -+ $ sudo {{{ grub_command("update") }}} -+ -+platform: grub2 -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh -new file mode 100644 -index 00000000000..cb8824a6bef ---- /dev/null -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' -\ No newline at end of file -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh -new file mode 100644 -index 00000000000..7241fd5aad6 ---- /dev/null -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub' -\ No newline at end of file -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index ee246384416..431b133d416 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -44,7 +44,6 @@ CCE-85982-7 - CCE-85983-5 - CCE-85984-3 - CCE-85985-0 --CCE-85986-8 - CCE-85988-4 - CCE-85997-5 - CCE-85998-3 - -From 5637b1465c1ceb40efb33ebdd2cf8b4211a4ef9e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 4 Jul 2022 15:52:10 +0200 -Subject: [PATCH 2/5] Stop checking systemd.confirm_spawn in RHEL 9 OSPP - -Use grub2_disable_recovery instead of grub2_disable_interactive_boot -to check solely for the GRUB_DISABLE_RECOVERY=true config option. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809 ---- - products/rhel9/profiles/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 534b3312575..8245bb9ce63 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -275,7 +275,7 @@ selections: - ## Disable Unauthenticated Login (such as Guest Accounts) - ## FIA_UAU.1 - - require_singleuser_auth -- - grub2_disable_interactive_boot -+ - grub2_disable_recovery - - grub2_uefi_password - - no_empty_passwords - - -From 09f11408ed83da07238ad5fccf89d59b4b2707fd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 4 Jul 2022 16:05:22 +0200 -Subject: [PATCH 3/5] Fix regular expression - -The original expression `^true|"true"$` could match things like -`truex` or `x"true"` because the first alternative doesn't contain -`$` and the second alternative doesn't contain `^`. ---- - shared/checks/oval/bootloader_disable_recovery_set_to_true.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml -index 563006cd803..ff64177d6df 100644 ---- a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml -+++ b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml -@@ -31,7 +31,7 @@ - - -- ^true|"true"$ -+ ^(true|"true")$ - - - - -From 2900fb986dc21ec4ce78a8b9f27f89b4d8fafbee Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 4 Jul 2022 17:18:37 +0200 -Subject: [PATCH 4/5] Improve a regular expression - -According to -https://www.freedesktop.org/software/systemd/man/systemd.html#systemd.confirm_spawn -the option systemd.confirm_spawn can be also specified without an -argument, with the same effect as a positive boolean. This commit -changes the regular expression used in checks for this, forbidding also -the occurence of systemd.confirm_spawn without any argument. Also -improves whitespace handling. Also adds a test scenario covering the -situation in which the systemd.confirm_spawn is also specified without -an argument. ---- - .../oval/shared.xml | 2 +- - ...led_interactive_boot_empty_boolean.fail.sh | 25 +++++++++++++++++++ - 2 files changed, 26 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh - -diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml -index 837fc037300..e7358a49fa9 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml -+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml -@@ -25,7 +25,7 @@ - - /etc/default/grub -- ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ -+ ^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$ - 1 - - -diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh -new file mode 100644 -index 00000000000..37a12f021e4 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh -@@ -0,0 +1,25 @@ -+#!/bin/bash -+ -+# The option systemd.confirm_spawn can be also specified without an argument, -+# with the same effect as a positive boolean. -+CONFIRM_SPAWN_OPT="systemd.confirm_spawn" -+ -+if grep -q "^GRUB_CMDLINE_LINUX=" /etc/default/grub; then -+ if grep -q "^GRUB_CMDLINE_LINUX=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then -+ sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub -+ else -+ sed -i "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub -+ fi -+else -+ echo "GRUB_CMDLINE_LINUX=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub -+fi -+ -+if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub; then -+ if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then -+ sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub -+ else -+ sed -i "s/\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub -+ fi -+else -+ echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub -+fi - -From 3cf7a22b59f52b2149d3ce54ef6bcd94ba9f8901 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 4 Jul 2022 17:36:07 +0200 -Subject: [PATCH 5/5] Fix missing newlines at EOF - ---- - .../bootloader-grub2/grub2_disable_recovery/ansible/shared.yml | 2 +- - .../grub2_disable_recovery/tests/correct_value.pass.sh | 2 +- - .../grub2_disable_recovery/tests/wrong_value.fail.sh | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml -index f6285cb13cb..4348e239f2e 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml -@@ -17,4 +17,4 @@ - {{% else %}} - - name: Update grub defaults and the bootloader menu - command: /sbin/grubby --update-kernel=ALL --{{% endif -%}} -\ No newline at end of file -+{{% endif -%}} -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh -index cb8824a6bef..e8fa3574436 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh -@@ -1,3 +1,3 @@ - #!/bin/bash - --echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' -\ No newline at end of file -+echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh -index 7241fd5aad6..20392dc7f7a 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh -@@ -1,3 +1,3 @@ - #!/bin/bash - --echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub' -\ No newline at end of file -+echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub' diff --git a/scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch b/scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch deleted file mode 100644 index a8855bf..0000000 --- a/scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b18adf58035b2c2ce1d4259bccb52d364bf7a6a0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 1 Jul 2022 15:22:03 +0200 -Subject: [PATCH] Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP - -Removal of the role and severity attributes will cause that -the rule will start to be evaluated and remediation will -actually disable the user namespaces on the target system. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083716 ---- - products/rhel9/profiles/ospp.profile | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 1fad0031749..136bb163646 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -135,8 +135,6 @@ selections: - - sysctl_kernel_yama_ptrace_scope - - sysctl_kernel_perf_event_paranoid - - sysctl_user_max_user_namespaces -- - sysctl_user_max_user_namespaces.role=unscored -- - sysctl_user_max_user_namespaces.severity=info - - sysctl_kernel_unprivileged_bpf_disabled - - sysctl_net_core_bpf_jit_harden - - service_kdump_disabled diff --git a/scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch b/scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch deleted file mode 100644 index f1650bb..0000000 --- a/scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch +++ /dev/null @@ -1,809 +0,0 @@ -From a59040cec2adf8f81fc5784e4273e1701ca21995 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 11:45:20 +0200 -Subject: [PATCH 01/20] Update OCIL for require_emergency_target_auth - -Extends the OCIL text according to the OVAL check. ---- - .../require_emergency_target_auth/rule.yml | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -index cc0a2c53017..1d5febf54c7 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -@@ -53,7 +53,7 @@ ocil: |- - To check if authentication is required for emergency mode, run the following command: -
$ grep sulogin /usr/lib/systemd/system/emergency.service
- The output should be similar to the following, and the line must begin with -- {{% if product in ["fedora", "rhel8", "rhel9", "ol8"] -%}} -+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} - ExecStart and /usr/lib/systemd/systemd-sulogin-shell. -
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
- {{%- else -%}} -@@ -61,4 +61,20 @@ ocil: |- -
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
- {{%- endif %}} - -+ Then, check if the emergency target requires the emergency service: -+ Run the following command: -+
$ sudo grep Requires /usr/lib/systemd/system/emergency.target
-+ The output should be the following: -+
Requires=emergency.service
-+ -+ Then, check if there is no custom emergency target configured in systemd configuration. -+ Run the following command: -+
$ sudo grep -r emergency.target /etc/systemd/system/
-+ The output should be empty. -+ -+ Then, check if there is no custom emergency service configured in systemd configuration. -+ Run the following command: -+
$ sudo grep -r emergency.service /etc/systemd/system/
-+ The output should be empty. -+ - platform: machine - -From 16c898ce4b960e33088b025f1ea0a8e432ae01a4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 11:46:19 +0200 -Subject: [PATCH 02/20] Add fixtext to require_emergency_target_auth - ---- - .../require_emergency_target_auth/rule.yml | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -index 1d5febf54c7..c4860915b67 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -@@ -78,3 +78,13 @@ ocil: |- - The output should be empty. - - platform: machine -+ -+fixtext: |- -+ Configure {{{ full_name }}} to require authentication for system emergency mode. -+ -+ Add or edit the following line in "/usr/lib/systemd/system/emergency.service": -+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} -+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency -+ {{%- else -%}} -+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" -+ {{%- endif %}} - -From 836497f3b9c9b1a206023f7aa16d2df8a025ece3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 13:43:16 +0200 -Subject: [PATCH 03/20] Align OCIL with OVAL for require_singleuser_auth - ---- - .../require_singleuser_auth/rule.yml | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -index 8d7a4fa7b74..cbd048aad0a 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -@@ -70,4 +70,22 @@ ocil: |- -
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
- {{%- endif %}} - -+ {{% if product not in ["ol8", "rhel8"] %}} -+ Then, verify that the rescue service is in the runlevel1.target. -+ Run the following command: -+
$ sudo grep "^Requires=.*rescue.service" /usr/lib/systemd/system/runlevel1.target
-+ The output should be the following: -+
Requires=sysinit.target rescue.service
-+ -+ Then, check if there is no custom runlevel1 target configured in systemd configuration. -+ Run the following command: -+
$ sudo grep -r "^runlevel1.target$" /etc/systemd/system
-+ There should be no output. -+ -+ Then, check if there is no custom rescue service configured in systemd configuration. -+ Run the following command: -+
$ sudo grep -r "^rescue.service$" /etc/systemd/system
-+ There should be no output. -+ {{% endif %}} -+ - platform: machine - -From 11715c35c9cdbfdc7ed4c30a8612a125ec3c77e5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 13:43:30 +0200 -Subject: [PATCH 04/20] Add fixtext to require_singleuser_auth - ---- - .../require_singleuser_auth/rule.yml | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -index cbd048aad0a..3a0cad455cc 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -@@ -89,3 +89,20 @@ ocil: |- - {{% endif %}} - - platform: machine -+ -+fixtext: |- -+ Configure {{{ full_name }}} to require authentication in single user mode. -+ -+ {{% if init_system == "systemd" -%}} -+ Add or update the following line in "/usr/lib/systemd/system/rescue.service": -+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} -+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue -+ {{%- elif product in ["rhel7"] -%}} -+ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" -+ {{%- else -%}} -+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" -+ {{%- endif %}} -+ {{%- else -%}} -+ Add or update the following line in "/etc/sysconfig/init": -+ SINGLE=/sbin/sulogin -+ {{%- endif %}} - -From ad14aee19d11dc99ead242535281d56791bfc213 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 14:15:12 +0200 -Subject: [PATCH 05/20] Update OCIL in grub2_admin_username - ---- - .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -index a43d5fcc038..0c824434e07 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -@@ -52,17 +52,17 @@ references: - stigid@rhel7: RHEL-07-010483 - stigid@rhel8: RHEL-08-010149 - --ocil_clause: 'it does not' -+ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name' - - ocil: |- - To verify the boot loader superuser account has been set, run the following - command: --
sudo grep -A1 "superusers" /etc/grub2.cfg
-+
sudo grep -A1 "superusers" {{{ grub2_boot_path + "/grub.cfg" }}}
- The output should show the following: -
set superusers="superusers-account"
-     export superusers
- where superusers-account is the actual account name different from common names like root, -- admin, or administrator. -+ admin, or administrator and different from any other existing user name. - - warnings: - - general: |- - -From 7ee002478c778fd271aa2c289e74d14aa2853355 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 14:15:28 +0200 -Subject: [PATCH 06/20] Add fixtext for grub2_admin_username - ---- - .../non-uefi/grub2_admin_username/rule.yml | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -index 0c824434e07..a813b417a00 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -@@ -73,3 +73,14 @@ warnings: - grub.cfg file as the grub2-mkconfig command overwrites this file. - - platform: machine -+ -+fixtext: |- -+ Configure the system to require a grub bootloader password for the grub superuser account. -+ -+ Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: -+ -+ set superusers="" -+ export superusers -+ -+ Once the superuser account has been added, update the grub.cfg file by running: -+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg - -From 9f5a6d48ef97180e7720dc066c83409633c80899 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 15:04:21 +0200 -Subject: [PATCH 07/20] Align OCIL with OVAL in grub2_password - ---- - .../non-uefi/grub2_password/rule.yml | 35 ++++++------------- - 1 file changed, 10 insertions(+), 25 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index ad515a65ee7..268f48a16c1 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -@@ -77,33 +77,18 @@ references: - stigid@sle15: SLES-15-010190 - stigid@ubuntu2004: UBTU-20-010009 - --ocil_clause: 'it does not' -+ocil_clause: 'it does not produce any output' - - ocil: |- -- To verify the boot loader superuser password has been set, run the following -- command: -- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}} --
sudo grep "boot" {{{ grub2_boot_path }}}/grub.cfg
-- {{% else %}} --
sudo grep "superusers" /etc/grub2.cfg
-- {{% endif %}} -- The output should show the following: --
password_pbkdf2 superusers-account ${GRUB2_PASSWORD}
-- To verify the boot loader superuser account password has been set, -- and the password encrypted, run the following command: -- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}} --
sudo cat /etc/grub.d/40_custom
-- The output should be similar to: --
set superusers="boot"
--    password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088
-- {{% else %}} --
sudo cat {{{ grub2_boot_path }}}/user.cfg
-- The output should be similar to: --
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
--    2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
--    916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
--    0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
-- {{% endif %}} -+ First, check whether the password is defined in either {{{ grub2_boot_path }}}/user.cfg or -+ {{{ grub2_boot_path }}}/grub.cfg. -+ Run the following commands: -+
$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/user.cfg
-+    $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/grub.cfg
-+    
-+ -+ Second, check that a superuser is defined in {{{ grub2_boot_path }}}/grub.cfg. -+
$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  {{{ grub2_boot_path }}}/grub.cfg
- - warnings: - - general: |- - -From 1bd446ee0efb4cefeaaca7a1808e7de703f2b1be Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 15:04:34 +0200 -Subject: [PATCH 08/20] Add fixtext for grub2_password - -Adopted from the RHEL 8 STIG spreadsheet. ---- - .../non-uefi/grub2_password/rule.yml | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index 268f48a16c1..4a7e0694884 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -@@ -99,3 +99,20 @@ warnings: - grub.cfg file as the grub2-mkconfig command overwrites this file. - - platform: machine -+ -+fixtext: |- -+ Configure the system to require a grub bootloader password for the grub superuser account. -+ -+ Generate an encrypted grub2 password for the grub superuser account with the following command: -+ -+ $ sudo grub2-setpassword -+ Enter password: -+ Confirm password: -+ -+ Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: -+ -+ set superusers="[someuniquestringhere]" -+ export superusers -+ -+ Once the superuser account has been added, update the grub.cfg file by running: -+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg - -From 85cc9f300c860e456996fa8cf7aec2532bb88a08 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 15:54:12 +0200 -Subject: [PATCH 09/20] Fix a typo - ---- - .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -index 17b4918c5f5..fcf9031fa93 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -@@ -15,7 +15,7 @@ description: |- - admin, or administrator for the grub2 superuser account. -

- Change the superuser to a different username (The default is 'root'). --
$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
-+
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
-

- Once the superuser account has been added, - update the - -From e3d765df471350cbcc629d67439902b8189cde14 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 15:54:44 +0200 -Subject: [PATCH 10/20] Align OCIL with OVAL in grub2_uefi_admin_username - ---- - .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -index fcf9031fa93..c76d086c5f2 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -@@ -64,12 +64,12 @@ ocil_clause: 'it does not' - ocil: |- - To verify the boot loader superuser account has been set, run the following - command: --
sudo grep -A1 "superusers" /etc/grub2-efi.cfg
-+
sudo grep -A1 "superusers" {{{ grub2_uefi_boot_path }}}/grub.cfg
- The output should show the following: -
set superusers="superusers-account"
-     export superusers
- where superusers-account is the actual account name different from common names like root, -- admin, or administrator. -+ admin, or administrator and different from any other existing user name. - - warnings: - - general: |- - -From d8cb9ec4ae23535a04ae5715c9dfbf94126082f0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 15:54:57 +0200 -Subject: [PATCH 11/20] Add fixtext in grub2_uefi_admin_username - ---- - .../uefi/grub2_uefi_admin_username/rule.yml | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -index c76d086c5f2..2a4556c1659 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -@@ -80,3 +80,16 @@ warnings: - grub.cfg file as the grub2-mkconfig command overwrites this file. - - platform: machine -+ -+fixtext: |- -+ Configure the system to require a grub bootloader password for the grub superuser account. -+ -+ Select a password-protected superuser account with unique name, and modify the -+ "/etc/grub.d/01_users" configuration file to reflect the account name change. -+ -+ Add or edit the following line in /etc/grub.d/01_users: -+ -+ set superusers= -+ -+ Once the superuser account has been added, update the grub.cfg file by running: -+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg - -From 73a5e86cbfc77fa8344499347c074b5f04e32a0e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 17:55:09 +0200 -Subject: [PATCH 12/20] Align OCIL with OVAL in grub2_uefi_password - ---- - .../uefi/grub2_uefi_password/rule.yml | 30 +++---------------- - 1 file changed, 4 insertions(+), 26 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -index 4579b1ff2e7..ee4f6c1470a 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -@@ -77,39 +77,17 @@ references: - stigid@sle15: SLES-15-010200 - stigid@ubuntu2004: UBTU-20-010009 - --ocil_clause: 'it does not' -+ocil_clause: 'no password is set' - - ocil: |- -- To verify the boot loader superuser password has been set, run the following -- command: -- {{% if product in ["sle12", "sle15", "ubuntu2004"] %}} --
sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom
-- {{% else %}} --
sudo grep "password" /etc/grub2-efi.cfg
-- {{% endif %}} -- The output should show the following: --
password_pbkdf2 superusers-account ${GRUB2_PASSWORD}
-- To verify the boot loader superuser account password has been set, -- and the password encrypted, run the following command: -- {{% if product in ["sle12", "sle15"] %}} --
sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg
-- The output should be similar to: --
password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
--    2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
--    916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
--    0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
-- {{% elif "ubuntu" in product %}} --
grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg
-- The output should contain something similar to: --
password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
-- {{% else %}} --
sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg
-+ To verify the boot loader superuser password has been set, run the following command: -+ $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" {{{ grub2_uefi_boot_path }}}/user.cfg - The output should be similar to: -
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
-     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
-     916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
-     0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
-- {{% endif %}} -+ - - warnings: - - general: |- - -From 5332d2961da8f14965d9b6b32ea0d4f5a7c2b817 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Apr 2022 17:55:31 +0200 -Subject: [PATCH 13/20] Add fixtext in grub2_uefi_password - ---- - .../uefi/grub2_uefi_password/rule.yml | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -index ee4f6c1470a..4ed65d5f68d 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -@@ -98,3 +98,18 @@ warnings: - grub.cfg file as the grub2-mkconfig command overwrites this file. - - platform: machine -+ -+fixtext: |- -+ Configure {{{ full_name }}} to use a secure UEFI boot loader password. -+ -+ Run the following command: -+ $ sudo grub2-setpassword -+ -+ When prompted, enter the password that was selected. -+ Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content: -+ -+ set superusers="boot" -+ password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash -+ -+ Then, update the grub.cfg file by running: -+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg - -From f1fae705e533ec0f4d4e83518f581dadd1552e2c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 26 Apr 2022 08:43:08 +0200 -Subject: [PATCH 14/20] Fix a typo - ---- - .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -index a813b417a00..88551a068bf 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -@@ -52,7 +52,7 @@ references: - stigid@rhel7: RHEL-07-010483 - stigid@rhel8: RHEL-08-010149 - --ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name' -+ocil_clause: 'superuser account is not set or is set to root, admin, administrator or any other existing user name' - - ocil: |- - To verify the boot loader superuser account has been set, run the following - -From 5f6cbfc9440e029526b86e448b51ab39e6bf6c35 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 3 May 2022 10:07:51 +0200 -Subject: [PATCH 15/20] Add an update operation to macro grub_command - ---- - shared/macros/general.jinja | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/shared/macros/general.jinja b/shared/macros/general.jinja -index 3802ea40eea..df4c696d3ca 100644 ---- a/shared/macros/general.jinja -+++ b/shared/macros/general.jinja -@@ -1071,17 +1071,17 @@ p+i+n+u+g+s+b+acl+xattrs+sha512 - - - {{# --Macro to generate a command to modify (add or remove) kernel command line argument in a GRUB 2 bootloader. -+Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader. - Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.) - Part of the grub2_bootloader_argument(_absent) templates. - --:param action: What to do with the argument, either "add" or "remove". -+:param action: What to do with the argument, must be one of: "update", "add", "remove". - :type action str: - :param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit". - :type arg_name_value str: - - #}} --{{% macro grub_command(action, arg_name_value) -%}} -+{{% macro grub_command(action, arg_name_value=None) -%}} - {{%- if 'ubuntu' in product -%}} - {{%- set grub_helper_executable = "update-grub" -%}} - {{%- set grub_helper_args = [] -%}} -@@ -1090,7 +1090,9 @@ Part of the grub2_bootloader_argument(_absent) templates. - {{%- set grub_helper_args = ["-o " + grub2_boot_path + "/grub2.cfg"] -%}} - {{%- else -%}} - {{%- set grub_helper_executable = "grubby" -%}} -- {{%- if action == "add" -%}} -+ {{%- if action == "update" -%}} -+ {{%- set grub_helper_args = ["--update-kernel=ALL"] -%}} -+ {{%- elif action == "add" -%}} - {{%- set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ arg_name_value ] -%}} - {{%- elif action == "remove" -%}} - {{%- set grub_helper_args = ["--update-kernel=ALL", "--remove-args=" ~ arg_name_value ] -%}} - -From 591cc74770433614595326a514e459a4efb7f491 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 3 May 2022 10:08:54 +0200 -Subject: [PATCH 16/20] Use grub_command macro in rules in - SRG-OS-000080-GPOS-00048 - ---- - .../non-uefi/grub2_admin_username/rule.yml | 5 +++-- - .../bootloader-grub2/non-uefi/grub2_password/rule.yml | 9 +++------ - .../uefi/grub2_uefi_admin_username/rule.yml | 5 +++-- - .../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 9 +++------ - 4 files changed, 12 insertions(+), 16 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -index 88551a068bf..5557664f8be 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -@@ -20,7 +20,7 @@ description: |- - Once the superuser account has been added, - update the - grub.cfg file by running: --
grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
-+
{{{ grub_command("update") }}}
- - rationale: |- - Having a non-default grub superuser username makes password-guessing attacks less effective. -@@ -83,4 +83,5 @@ fixtext: |- - export superusers - - Once the superuser account has been added, update the grub.cfg file by running: -- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg -+ -+ $ sudo {{{ grub_command("update") }}} -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index 4a7e0694884..43c63b56ffc 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -@@ -28,11 +28,7 @@ description: |- - Once the superuser password has been added, - update the - grub.cfg file by running: -- {{% if "ubuntu" in product %}} --
update-grub
-- {{% elif product in ["sle12", "sle15"] %}} --
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
-- {{% endif %}} -+
{{{ grub_command("update") }}}
- {{% endif %}} - - rationale: |- -@@ -115,4 +111,5 @@ fixtext: |- - export superusers - - Once the superuser account has been added, update the grub.cfg file by running: -- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg -+ -+ $ sudo {{{ grub_command("update") }}} -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -index 2a4556c1659..bd07ab2ee29 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -@@ -20,7 +20,7 @@ description: |- - Once the superuser account has been added, - update the - grub.cfg file by running: --
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
-+
{{{ grub_command("update") }}}
- - rationale: |- - Having a non-default grub superuser username makes password-guessing attacks less effective. -@@ -92,4 +92,5 @@ fixtext: |- - set superusers= - - Once the superuser account has been added, update the grub.cfg file by running: -- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg -+ -+ $ sudo {{{ grub_command("update") }}} -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -index 4ed65d5f68d..98144a9e651 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -@@ -28,11 +28,7 @@ description: |- - Once the superuser password has been added, - update the - grub.cfg file by running: -- {{% if "ubuntu" in product %}} --
update-grub
-- {{% elif product in ["sle12", "sle15"] %}} --
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
-- {{% endif %}} -+
{{{ grub_command("update") }}}
- {{% endif %}} - - rationale: |- -@@ -112,4 +108,5 @@ fixtext: |- - password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash - - Then, update the grub.cfg file by running: -- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg -+ -+ $ sudo {{{ grub_command("update") }}} - -From b2fce574abb7cf4bf72058023646178cd574ff90 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 3 May 2022 10:09:14 +0200 -Subject: [PATCH 17/20] Update OCIL - ---- - .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- - .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -index 5557664f8be..ccf7ca74932 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -@@ -79,7 +79,7 @@ fixtext: |- - - Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: - -- set superusers="" -+ set superusers="superusers-account" - export superusers - - Once the superuser account has been added, update the grub.cfg file by running: -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -index bd07ab2ee29..61e2e4e066f 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -@@ -59,7 +59,7 @@ references: - stigid@rhel7: RHEL-07-010492 - stigid@rhel8: RHEL-08-010141 - --ocil_clause: 'it does not' -+ocil_clause: 'superuser account is not set or is set to an existing name or to a common name' - - ocil: |- - To verify the boot loader superuser account has been set, run the following -@@ -89,7 +89,7 @@ fixtext: |- - - Add or edit the following line in /etc/grub.d/01_users: - -- set superusers= -+ set superusers="superusers-account" - - Once the superuser account has been added, update the grub.cfg file by running: - - -From 1cefb7749a4ec5fabd27a53e15096ab44a566a16 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 3 May 2022 10:19:19 +0200 -Subject: [PATCH 18/20] Use a unique account name for the superusers account - ---- - .../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -index 98144a9e651..58fb77ab98f 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -@@ -103,9 +103,10 @@ fixtext: |- - - When prompted, enter the password that was selected. - Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content: -+ Use a unique account name for the superusers account. - -- set superusers="boot" -- password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash -+ set superusers="superusers-account" -+ password_pbkdf2 superusers-account grub.pbkdf2.sha512.$password_hash - - Then, update the grub.cfg file by running: - - -From 1cbaba853c2dbff8cd9ba55117d6f46fd5e9ab58 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 6 May 2022 13:51:29 +0200 -Subject: [PATCH 19/20] Apply suggestions from code review - -Co-authored-by: Matthew Burket ---- - .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- - .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -index ccf7ca74932..7a9f397f744 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -@@ -75,7 +75,7 @@ warnings: - platform: machine - - fixtext: |- -- Configure the system to require a grub bootloader password for the grub superuser account. -+ Configure the system to have a unique username for the grub superuser account. - - Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -index 61e2e4e066f..8d6ebad550c 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -@@ -82,7 +82,7 @@ warnings: - platform: machine - - fixtext: |- -- Configure the system to require a grub bootloader password for the grub superuser account. -+ Configure the system to have a unique username for the grub superuser account. - - Select a password-protected superuser account with unique name, and modify the - "/etc/grub.d/01_users" configuration file to reflect the account name change. - -From e73fefa9548264d24959284fd2447ef0bc474d6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 9 May 2022 08:33:54 +0200 -Subject: [PATCH 20/20] Replace the system by full name - ---- - .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- - .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +- - .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -index 7a9f397f744..14bdfd57a6d 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml -@@ -75,7 +75,7 @@ warnings: - platform: machine - - fixtext: |- -- Configure the system to have a unique username for the grub superuser account. -+ Configure {{{ full_name }}} to have a unique username for the grub superuser account. - - Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index 43c63b56ffc..211d8b28a84 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -@@ -97,7 +97,7 @@ warnings: - platform: machine - - fixtext: |- -- Configure the system to require a grub bootloader password for the grub superuser account. -+ Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account. - - Generate an encrypted grub2 password for the grub superuser account with the following command: - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -index 8d6ebad550c..d36dbcbb187 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml -@@ -82,7 +82,7 @@ warnings: - platform: machine - - fixtext: |- -- Configure the system to have a unique username for the grub superuser account. -+ Configure {{{ full_name }}} to have a unique username for the grub superuser account. - - Select a password-protected superuser account with unique name, and modify the - "/etc/grub.d/01_users" configuration file to reflect the account name change. diff --git a/scap-security-guide.spec b/scap-security-guide.spec index f5702b1..43e0ab6 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -5,8 +5,8 @@ # global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly Name: scap-security-guide -Version: 0.1.62 -Release: 2%{?dist} +Version: 0.1.63 +Release: 1%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -24,20 +24,6 @@ BuildRequires: python%{python3_pkgversion}-jinja2 BuildRequires: python%{python3_pkgversion}-PyYAML Requires: xml-common, openscap-scanner >= 1.2.5 -Patch0: scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch -Patch1: scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch -Patch2: scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch -Patch3: scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch -Patch4: scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch -Patch5: scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch -Patch6: scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch -Patch7: scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch -Patch8: scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch -Patch9: scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch -Patch10: scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch -Patch11: scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch -Patch12: scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch - %description The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified @@ -112,6 +98,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Mon Aug 01 2022 Vojtech Polasek - 0.1.63-1 +- Rebase to a new upstream release 0.1.63 (RHBZ#2070563) + * Mon Jul 18 2022 Vojtech Polasek - 0.1.62-2 - Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719) - Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154) diff --git a/sources b/sources index 7ce9265..553cad7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (scap-security-guide-0.1.62.tar.bz2) = b8cdd76ad0c09c9257121283df6e5a8f2acd6c9734ff9b577673ce8ff04af8a1b9ceb37621cb8bd0873391f771844e0479954850ae77b442c780206b957a0e09 +SHA512 (scap-security-guide-0.1.63.tar.bz2) = ad2f7f873af22b0bc2916d8487f6d5621c65495c4c84a0a4e8c98969d5edd2a0833e956b32c19c893e1852b15adc65af24bb4fea7db71b3042c5e1b512a3957b