rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

rebase to upstream version 0.1.63

Browse Source 
Resolves: rhbz#2070563
    Resolves: rhbz#2108158
    Resolves: rhbz#2108167
    Resolves: rhbz#2108173
    Resolves: rhbz#2108224
    Resolves: rhbz#2108226
    Resolves: rhbz#2109984
    Resolves: rhbz#2109992
    Resolves: rhbz#2109994
    Resolves: rhbz#2110347
    Resolves: rhbz#2110350
This commit is contained in:
Vojtech Polasek 2022-08-01 11:25:54 +02:00
parent 17023b428c
commit 14378e5ed6
16 changed files with 7 additions and 2394 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -44,3 +44,4 @@
/scap-security-guide-0.1.59.tar.bz2 /scap-security-guide-0.1.59.tar.bz2
/scap-security-guide-0.1.60.tar.bz2 /scap-security-guide-0.1.60.tar.bz2
/scap-security-guide-0.1.62.tar.bz2 /scap-security-guide-0.1.62.tar.bz2
/scap-security-guide-0.1.63.tar.bz2

369
scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch
View File

@ -1,369 +0,0 @@
From 86fcd3db1d66bb846c12a7ecd857ba17734927b0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 6 Jul 2022 16:55:59 +0200
Subject: [PATCH 1/3] Add grub2_systemd_debug-shell_argument_absent
Create rule that ensure that systemd.debug-shell=1 is not defined for
the kernel command line.
---
.../rule.yml | 51 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 1 -
2 files changed, 51 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
new file mode 100644
index 00000000000..8b6ff3bc333
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -0,0 +1,51 @@
+documentation_complete: true
+
+title: 'Ensure debug-shell service is not enabled during boot'
+
+description: |-
+ systemd's <tt>debug-shell</tt> service is intended to
+ diagnose systemd related boot issues with various <tt>systemctl</tt>
+ commands. Once enabled and following a system reboot, the root shell
+ will be available on <tt>tty9</tt> which is access by pressing
+ <tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
+ for systemd related issues and should otherwise be disabled.
+ <br /><br />
+ By default, the <tt>debug-shell</tt> systemd service is already disabled.
+
+ Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
+ boot paramenter option.
+
+ Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+ doesn't contain the argument <tt>systemd.debug-shell=1</tt>.
+ Run the following command to update command line for already installed kernels:
+ <pre># grubby --update-kernel=ALL --remove-args="systemd.debug-shell"</pre>
+
+rationale: |-
+ This prevents attackers with physical access from trivially bypassing security
+ on the machine through valid troubleshooting configurations and gaining root
+ access when the system is rebooted.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86292-0
+
+references:
+ ospp: FIA_UAU.1
+
+ocil_clause: 'the comand returns a line'
+
+ocil: |-
+ Ensure that debug-shell service is not enabled with the following command:
+ <pre>grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub</pre>
+ If the command returns a line, it means that debug-shell service is being enabled.
+
+fixtext: |-
+ {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}}
+
+platform: machine
+
+template:
+ name: grub2_bootloader_argument_absent
+ vars:
+ arg_name: systemd.debug-shell
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 431b133d416..b7af828fdb0 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -271,7 +271,6 @@ CCE-86288-8
CCE-86289-6
CCE-86290-4
CCE-86291-2
-CCE-86292-0
CCE-86293-8
CCE-86294-6
CCE-86295-3
From 14381efdbc869ed9fadc31da1c510d1cf8c1522a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 8 Jul 2022 21:57:52 +0200
Subject: [PATCH 2/3] Add zipl_systemd_debug-shell_argument_absent
Create rule that ensures systemd.debug-shell=1 is not defined for the
kernel command line in zIPL.
---
.../ansible/shared.yml | 38 ++++++++++++++
.../bash/shared.sh | 9 ++++
.../oval/shared.xml | 39 +++++++++++++++
.../rule.yml | 50 +++++++++++++++++++
.../tests/argument_missing.pass.sh | 8 +++
.../tests/configured_in_cmdline.fail.sh | 10 ++++
.../tests/configured_in_entry.fail.sh | 11 ++++
.../multiple_configured_in_cmdline.fail.sh | 7 +++
shared/references/cce-redhat-avail.txt | 1 -
9 files changed, 172 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
new file mode 100644
index 00000000000..790dd88b6b4
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/ansible/shared.yml
@@ -0,0 +1,38 @@
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# reboot = true
+# strategy = configure
+# complexity = medium
+# disruption = low
+
+- name: "Ensure BLS boot entries options contain systemd.debug-shell"
+ block:
+ - name: "Check how many boot entries set systemd.debug-shell"
+ find:
+ paths: "/boot/loader/entries/"
+ contains: "^options .*systemd.debug-shell.*$"
+ patterns: "*.conf"
+ register: n_entries
+
+ - name: "Remove systemd.debug-shell from boot entries"
+ command: grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+ when: n_entries is defined and n_entries.matched >= 1
+
+ - name: "Check if /etc/kernel/cmdline exists"
+ stat:
+ path: /etc/kernel/cmdline
+ register: cmdline_stat
+
+ - name: "Check if /etc/kernel/cmdline contains systemd.debug-shell"
+ find:
+ paths: "/etc/kernel/"
+ patterns: "cmdline"
+ contains: "^.*systemd.debug-shell.*$"
+ register: cmdline_find
+
+ - name: "Remove systemd.debug-shell from /etc/kernel/cmdline"
+ lineinfile:
+ path: "/etc/kernel/cmdline"
+ backrefs: yes
+ regexp: '^(.*)\s*systemd.debug-shell\b\S*(.*)$'
+ line: '\1\2'
+ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched >= 1
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
new file mode 100644
index 00000000000..0d90d58db2c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
+grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+
+# Ensure new kernels and boot entries retain the boot option
+if grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then
+ sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
new file mode 100644
index 00000000000..1399c6f662f
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/oval/shared.xml
@@ -0,0 +1,39 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Ensure systemd.debug-shell option is not configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels won't have this option, it should not be configured in /etc/kernel/cmdline.") }}}
+ <criteria operator="AND">
+ <criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /boot/loader/entries/.*.conf"
+ test_ref="test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" negate="true"/>
+ <criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /etc/kernel/cmdline"
+ test_ref="test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" negate="true"/>
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test id="test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf"
+ comment="Check if argument systemd.debug-shell is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
+ check="at least one" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" />
+ <ind:state state_ref="state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" version="1">
+ <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
+
+ </ind:textfilecontent54_state><ind:textfilecontent54_test id="test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline"
+ comment="Check if argument systemd.debug-shell is present in /etc/kernel/cmdline"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" />
+ <ind:state state_ref="state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" version="1">
+ <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
new file mode 100644
index 00000000000..3a442c4eb79
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/rule.yml
@@ -0,0 +1,50 @@
+documentation_complete: true
+
+prodtype: rhcos4,rhel8,rhel9
+
+title: 'Ensure debug-shell service is not enabled in zIPL'
+
+description: |-
+ systemd's <tt>debug-shell</tt> service is intended to
+ diagnose systemd related boot issues with various <tt>systemctl</tt>
+ commands. Once enabled and following a system reboot, the root shell
+ will be available on <tt>tty9</tt> which is access by pressing
+ <tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
+ for systemd related issues and should otherwise be disabled.
+ <br /><br />
+ By default, the <tt>debug-shell</tt> systemd service is already disabled.
+
+ Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
+ boot paramenter option.
+
+ Check that not boot entries in <tt>/boot/loader/entries/*.conf</tt> have
+ <tt>systemd.debug-shell=1</tt> included in its options.<br />
+ To ensure that new kernels and boot entries don't enable the debug-shell, check
+ that <tt>systemd.debug-shell=1</tt> is not present in <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ This prevents attackers with physical access from trivially bypassing security
+ on the machine through valid troubleshooting configurations and gaining root
+ access when the system is rebooted.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86420-7
+
+references:
+ ospp: FIA_UAU.1
+
+ocil_clause: 'the comand returns a line'
+
+ocil: |-
+ Ensure that debug-shell service is not enabled with the following command:
+ <pre>sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that enables the debug-shell.
+
+platform: machine
+
+#template:
+# name: zipl_bls_entries_option_absent
+# vars:
+# arg_name: systemd.debug-shell
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
new file mode 100644
index 00000000000..4649db979cf
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/argument_missing.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries don't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+# Make sure /etc/kernel/cmdline doesn't contain systemd\.debug-shell
+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
new file mode 100644
index 00000000000..faac856fbed
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_cmdline.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries doesn't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+# Make sure /etc/kernel/cmdline contains systemd.debug-shell
+if ! grep -qs '^(.*\s)?systemd.debug-shell(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "systemd.debug-shell=1" >> /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
new file mode 100644
index 00000000000..fe07a37d0c3
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/configured_in_entry.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Remove systemd.debug-shell from all boot entries
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+# But make sure one boot loader entry contains systemd.debug-shell
+sed -i '/^options / s/$/ systemd.debug-shell=1/' /boot/loader/entries/*rescue.conf
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+# Make sure /etc/kernel/cmdline doesn't contain systemd.debug-shell
+sed -Ei 's/(^.*)systemd\.debug-shell(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
new file mode 100644
index 00000000000..0c2febb0370
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_systemd_debug-shell_argument_absent/tests/multiple_configured_in_cmdline.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries doesn't contain systemd.debug-shell
+sed -Ei 's/(^options.*)\s\bsystemd.debug-shell\b\S*(.*?)$/\1\2/' /boot/loader/entries/*
+
+echo "option1 systemd.debug-shell=1 option2" > /etc/kernel/cmdline
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index b7af828fdb0..254fa817f8e 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -376,7 +376,6 @@ CCE-86416-5
CCE-86417-3
CCE-86418-1
CCE-86419-9
-CCE-86420-7
CCE-86424-9
CCE-86425-6
CCE-86426-4
From 2af504b656fa0a273df5bb4ce7670310a414b29c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 7 Jul 2022 09:37:46 +0200
Subject: [PATCH 3/3] Select grub debug-shell rule in RHEL9 OSPP
---
products/rhel9/profiles/ospp.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index f902dd5e7cd..f1faaedb812 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -75,6 +75,7 @@ selections:
- disable_ctrlaltdel_reboot
- disable_ctrlaltdel_burstaction
- service_debug-shell_disabled
+ - grub2_systemd_debug-shell_argument_absent
### umask
- var_accounts_user_umask=027
@@ -380,3 +381,4 @@ selections:
- zipl_audit_backlog_limit_argument
- zipl_init_on_alloc_argument
- zipl_page_alloc_shuffle_argument
+ - zipl_systemd_debug-shell_argument_absent

27
scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch
View File

@ -1,27 +0,0 @@
From fd1f968504765db0ba5c32ac50058d7a05242343 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 1 Jul 2022 14:35:56 +0200
Subject: [PATCH] Make rule audit_access_success in OSPP profile unenforcing
Set severity to info and role to unscored, because the rule
creates an audit rule that creates generating huge amounts
of audit records generated.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2058154
---
products/rhel9/profiles/ospp.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 1fad0031749..8e54ae4281d 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -372,6 +372,8 @@ selections:
- audit_modify_success
- audit_access_failed
- audit_access_success
+ - audit_access_success.severity=info
+ - audit_access_success.role=unscored
- audit_delete_failed
- audit_delete_success
- audit_perm_change_failed

60
scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch
View File

@ -1,60 +0,0 @@
From b44f64edb4ff2631c7cda02866a07f1eb8888073 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 1 Jul 2022 14:55:53 +0200
Subject: [PATCH] Remove rule zip_vsyscall_argument
According to
https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html?highlight=vsyscall
vsyscall is applicable to X86-64 but ZIPl is used only on
s390x on RHEL, and likely on other OSes as well.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2060049
---
products/rhel8/profiles/ospp.profile | 3 ---
products/rhel9/profiles/ospp.profile | 1 -
tests/data/profile_stability/rhel8/ospp.profile | 3 ---
3 files changed, 7 deletions(-)
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index e6a0dd75020..235ab3dcfad 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -437,6 +437,3 @@ selections:
- zipl_audit_backlog_limit_argument
- zipl_slub_debug_argument
- zipl_page_poison_argument
- - zipl_vsyscall_argument
- - zipl_vsyscall_argument.role=unscored
- - zipl_vsyscall_argument.severity=info
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 1fad0031749..c5a291d5c69 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -406,6 +406,5 @@ selections:
- zipl_bootmap_is_up_to_date
- zipl_audit_argument
- zipl_audit_backlog_limit_argument
- - zipl_vsyscall_argument
- zipl_init_on_alloc_argument
- zipl_page_alloc_shuffle_argument
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index f2a56411e6f..5757acf030e 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -233,7 +233,6 @@ selections:
- zipl_bootmap_is_up_to_date
- zipl_page_poison_argument
- zipl_slub_debug_argument
-- zipl_vsyscall_argument
- var_sshd_set_keepalive=0
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
@@ -265,8 +264,6 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
-- zipl_vsyscall_argument.role=unscored
-- zipl_vsyscall_argument.severity=info
platforms: !!set {}
cpe_names: !!set {}
platform: null

30
scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
View File

@ -1,30 +0,0 @@
From 402df0b7dff60a71ed546f025f0a0374fe744605 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 14 Jul 2022 17:28:00 +0200
Subject: [PATCH] Reduce the list of FIPS crypto policies
RHEL9 and newer systems have no reasons to recognize FIPS crypto policies with modifiers
as FIPS, except the FIPS:OSPP.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057082
---
.../software/integrity/fips/enable_fips_mode/oval/shared.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 7cf1de346a7..65056a654c6 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -21,7 +21,12 @@
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
</ind:variable_object>
<ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
+ {{% if product in ["ol9","rhel9"] -%}}
+ <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
+ {{%- else %}}
+ {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
+ {{%- endif %}}
</ind:variable_state>
<external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
</def-group>

200
scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch
View File

@ -1,200 +0,0 @@
From 2940804e45b98060428593218d352b0ff2d1e2bc Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 13:52:01 +0200
Subject: [PATCH 1/7] RHEL9 OSPP: Drop rules w/o specific need aligned with
default value
Remove rules that just reenforce RHEL9 default without specific
OSPP requirement.
---
products/rhel9/profiles/ospp.profile | 8 --------
1 file changed, 8 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 534b3312575..6b57dcdeeb7 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -78,20 +78,12 @@ selections:
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_default_accept_redirects
- - sysctl_net_ipv4_conf_all_accept_source_route
- - sysctl_net_ipv4_conf_default_accept_source_route
- - sysctl_net_ipv6_conf_all_accept_source_route
- - sysctl_net_ipv6_conf_default_accept_source_route
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- - sysctl_net_ipv4_conf_all_rp_filter
- - sysctl_net_ipv4_conf_default_rp_filter
- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv4_tcp_syncookies
From 4215e69c3264404b4f8597bb12536ddf9f95fe59 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 13:58:24 +0200
Subject: [PATCH 2/7] RHEL9 OSPP: Drop rules affecting important funcionality
The TCP SYN cookikes rules may prevent some TCP options from working;
and without accepting Router Advertisements, ability of hosts to use
IPv6 becomes severely limited.
---
products/rhel9/profiles/ospp.profile | 3 ---
1 file changed, 3 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 6b57dcdeeb7..d0000be5041 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -72,8 +72,6 @@ selections:
- chronyd_client_only
### Network Settings
- - sysctl_net_ipv6_conf_all_accept_ra
- - sysctl_net_ipv6_conf_default_accept_ra
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv6_conf_all_accept_redirects
@@ -85,7 +83,6 @@ selections:
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_ip_forward
- - sysctl_net_ipv4_tcp_syncookies
### systemd
- disable_ctrlaltdel_reboot
From 10a621b7fc934a81080632159b61328e303f39cf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:01:41 +0200
Subject: [PATCH 3/7] RHEL9 OSPP: Drop rules changing default values not
related to OSPP
Removes rules that change RHEL9 default values but are not related to
any specific OSPP requirement
---
products/rhel9/profiles/ospp.profile | 4 ----
1 file changed, 4 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index d0000be5041..e9dbb8bc7bd 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -72,10 +72,6 @@ selections:
- chronyd_client_only
### Network Settings
- - sysctl_net_ipv4_conf_all_accept_redirects
- - sysctl_net_ipv4_conf_default_accept_redirects
- - sysctl_net_ipv6_conf_all_accept_redirects
- - sysctl_net_ipv6_conf_default_accept_redirects
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_all_send_redirects
From 1710015450a9b6780be2f5ed363c893d437f923d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:03:53 +0200
Subject: [PATCH 4/7] RHEL9 OSPP: Drop send redirect rules that don't affect
the TOE
Remove rules that changes the default value but don't impact the
security of the TOE in any way.
---
products/rhel9/profiles/ospp.profile | 2 --
1 file changed, 2 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index e9dbb8bc7bd..159170d5ff9 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -74,8 +74,6 @@ selections:
### Network Settings
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_default_secure_redirects
- - sysctl_net_ipv4_conf_all_send_redirects
- - sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_ip_forward
From 6d4bc8ef333a361a9c1149be44fa0796f81fa7dc Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:05:22 +0200
Subject: [PATCH 5/7] RHEL9 OSPP: Remove rules that affect secuity of TOE
Sysctl allows redirects only when they are considered secure.
---
products/rhel9/profiles/ospp.profile | 2 --
1 file changed, 2 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 159170d5ff9..771daed43e2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -72,8 +72,6 @@ selections:
- chronyd_client_only
### Network Settings
- - sysctl_net_ipv4_conf_all_secure_redirects
- - sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_ip_forward
From 8e1bedea2fd0740ee7d25cb028af1d8031fc6710 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:08:47 +0200
Subject: [PATCH 6/7] RHEL9 OSPP: Drop log martians rules
Remove rules that might help with detecting network issues but not
related to TOE security.
---
products/rhel9/profiles/ospp.profile | 2 --
1 file changed, 2 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 771daed43e2..58702502bf4 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -72,8 +72,6 @@ selections:
- chronyd_client_only
### Network Settings
- - sysctl_net_ipv4_conf_all_log_martians
- - sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_ip_forward
### systemd
From 7ffc1fb101edc8f29ace5c9e84d3f39e2a3cbfae Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:09:57 +0200
Subject: [PATCH 7/7] RHEL9 OSPP: Drop rule preventing forwarding
Remove rule that prevents routing which is a valid use-case.
This is also needed for containerized and VM-hosting setups.
---
products/rhel9/profiles/ospp.profile | 3 ---
1 file changed, 3 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 58702502bf4..c9e944b32d2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -71,9 +71,6 @@ selections:
# Time Server
- chronyd_client_only
- ### Network Settings
- - sysctl_net_ipv4_ip_forward
-
### systemd
- disable_ctrlaltdel_reboot
- disable_ctrlaltdel_burstaction

38
scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch
View File

@ -1,38 +0,0 @@
From 0d1803f0bfd793ff6038d05430d1ffa6ecdf073d Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 14 Jul 2022 17:06:50 +0200
Subject: [PATCH] Remove yp-related rules from RHEL9
The package is not supported on that system:
https://access.redhat.com/solutions/5991271
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2096602
---
.../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +-
.../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
index 9be95ffed5c..d8a3910ff4d 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
title: 'Remove NIS Client'
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
index dc9a2dfb987..0e260a846d1 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
title: 'Uninstall ypserv Package'

34
scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch
View File

@ -1,34 +0,0 @@
From f5a025d27828e9685478fa54a7a6e510ead44bea Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 8 Jul 2022 10:49:25 +0200
Subject: [PATCH] remove rules from rhel9 ospp profile
---
products/rhel9/profiles/ospp.profile | 7 -------
1 file changed, 7 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index f902dd5e7cd..c9c4c1a33c8 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -146,9 +146,6 @@ selections:
- package_openssh-server_installed
- package_openssh-clients_installed
- package_policycoreutils-python-utils_installed
- - package_rsyslog_installed
- - package_rsyslog-gnutls_installed
- - package_audispd-plugins_installed
- package_chrony_installed
- package_gnutls-utils_installed
@@ -364,10 +361,6 @@ selections:
# Enable dnf-automatic Timer
- timer_dnf-automatic_enabled
- # Configure TLS for remote logging
- - rsyslog_remote_tls
- - rsyslog_remote_tls_cacert
-
# Prevent Kerberos use by system daemons
- kerberos_disable_no_keytab

402
scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch
View File

@ -1,402 +0,0 @@
From d0ea0f62dcf91041afb6de4d282aa2001cc2a449 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 4 Jul 2022 16:39:06 +0200
Subject: [PATCH 1/7] remove rule and variable from RHEL9 profiles
---
products/rhel9/profiles/ospp.profile | 2 --
products/rhel9/profiles/stig.profile | 4 ----
2 files changed, 6 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index c9e944b32d2..0abd2e4f2ff 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -211,8 +211,6 @@ selections:
## Configure Minimum Password Length to 12 Characters
## IA-5 (1)(a) / FMT_MOF_EXT.1
- - var_accounts_password_minlen_login_defs=12
- - accounts_password_minlen_login_defs
- var_password_pam_minlen=12
- accounts_password_pam_minlen
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
index 55520623e8c..a130580acc5 100644
--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
@@ -42,7 +42,6 @@ selections:
- var_password_pam_remember_control_flag=required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- - var_accounts_password_minlen_login_defs=15
- var_password_pam_unix_rounds=5000
- var_password_pam_minlen=15
- var_password_pam_ocredit=1
@@ -578,9 +577,6 @@ selections:
# RHEL-08-020230
- accounts_password_pam_minlen
- # RHEL-08-020231
- - accounts_password_minlen_login_defs
-
# RHEL-08-020240
- account_unique_id
From ecbb5502adefc3ad5adffb277334bca2e332a86b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 4 Jul 2022 16:39:22 +0200
Subject: [PATCH 2/7] remove rule and variable from RHEL8 profiles
---
products/rhel8/profiles/cjis.profile | 1 -
products/rhel8/profiles/ospp.profile | 2 --
products/rhel8/profiles/rht-ccp.profile | 2 --
products/rhel8/profiles/stig.profile | 4 ----
4 files changed, 9 deletions(-)
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 96e0aaeee79..30843b692ef 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -63,7 +63,6 @@ selections:
- accounts_password_all_shadowed
- no_empty_passwords
- display_login_attempts
- - var_accounts_password_minlen_login_defs=12
- var_accounts_maximum_age_login_defs=90
- var_password_pam_unix_remember=10
- var_account_disable_post_pw_expiration=0
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 235ab3dcfad..39ad1797c7a 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -264,8 +264,6 @@ selections:
## Configure Minimum Password Length to 12 Characters
## IA-5 (1)(a) / FMT_MOF_EXT.1
- - var_accounts_password_minlen_login_defs=12
- - accounts_password_minlen_login_defs
- var_password_pam_minlen=12
- accounts_password_pam_minlen
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index 3b747fdecc8..e8e7e3a72f2 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -14,7 +14,6 @@ selections:
- file_owner_logfiles_value=root
- file_groupowner_logfiles_value=root
- sshd_idle_timeout_value=5_minutes
- - var_accounts_password_minlen_login_defs=6
- var_accounts_minimum_age_login_defs=7
- var_accounts_passwords_pam_faillock_deny=5
- var_accounts_password_warn_age_login_defs=7
@@ -43,7 +42,6 @@ selections:
- no_empty_passwords
- accounts_password_all_shadowed
- accounts_no_uid_except_zero
- - accounts_password_minlen_login_defs
- accounts_minimum_age_login_defs
- accounts_password_warn_age_login_defs
- accounts_password_pam_retry
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index e6923824c79..9fb371d701a 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -41,7 +41,6 @@ selections:
- var_password_pam_remember_control_flag=required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- - var_accounts_password_minlen_login_defs=15
- var_password_pam_unix_rounds=5000
- var_password_pam_minlen=15
- var_password_pam_ocredit=1
@@ -607,9 +606,6 @@ selections:
# RHEL-08-020230
- accounts_password_pam_minlen
- # RHEL-08-020231
- - accounts_password_minlen_login_defs
-
# RHEL-08-020240
- account_unique_id
From 38897e5e5ff44cc442aa3b0a7e8046c42547fafd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 4 Jul 2022 16:39:37 +0200
Subject: [PATCH 3/7] remove rule and variable from RHEL7 profiles
---
products/rhel7/profiles/cjis.profile | 1 -
products/rhel7/profiles/ncp.profile | 1 -
products/rhel7/profiles/ospp.profile | 2 --
products/rhel7/profiles/rhelh-stig.profile | 2 --
products/rhel7/profiles/rht-ccp.profile | 2 --
5 files changed, 8 deletions(-)
diff --git a/products/rhel7/profiles/cjis.profile b/products/rhel7/profiles/cjis.profile
index 35bc9c27ee7..fceccdac77d 100644
--- a/products/rhel7/profiles/cjis.profile
+++ b/products/rhel7/profiles/cjis.profile
@@ -63,7 +63,6 @@ selections:
- accounts_password_all_shadowed
- no_empty_passwords
- display_login_attempts
- - var_accounts_password_minlen_login_defs=12
- var_accounts_maximum_age_login_defs=90
- var_password_pam_unix_remember=10
- var_account_disable_post_pw_expiration=0
diff --git a/products/rhel7/profiles/ncp.profile b/products/rhel7/profiles/ncp.profile
index db7fa8ff7b9..4761a6cebc2 100644
--- a/products/rhel7/profiles/ncp.profile
+++ b/products/rhel7/profiles/ncp.profile
@@ -285,7 +285,6 @@ selections:
- var_account_disable_post_pw_expiration=35
- var_accounts_maximum_age_login_defs=60
- var_accounts_minimum_age_login_defs=7
- - var_accounts_password_minlen_login_defs=6
- var_accounts_password_warn_age_login_defs=7
- var_accounts_tmout=10_min
- var_password_pam_difok=8
diff --git a/products/rhel7/profiles/ospp.profile b/products/rhel7/profiles/ospp.profile
index 0d84cec4fb0..2ab41bad0bc 100644
--- a/products/rhel7/profiles/ospp.profile
+++ b/products/rhel7/profiles/ospp.profile
@@ -180,8 +180,6 @@ selections:
## Configure Minimum Password Length to 12 Characters
## IA-5 (1)(a) / FMT_MOF_EXT.1
- - var_accounts_password_minlen_login_defs=12
- - accounts_password_minlen_login_defs
- var_password_pam_minlen=12
- accounts_password_pam_minlen
diff --git a/products/rhel7/profiles/rhelh-stig.profile b/products/rhel7/profiles/rhelh-stig.profile
index 98be35b146e..13c175d5b80 100644
--- a/products/rhel7/profiles/rhelh-stig.profile
+++ b/products/rhel7/profiles/rhelh-stig.profile
@@ -13,7 +13,6 @@ selections:
- inactivity_timeout_value=15_minutes
- var_password_pam_minlen=15
- accounts_password_pam_minlen
- - accounts_password_minlen_login_defs
- var_password_pam_ocredit=1
- accounts_password_pam_ocredit
- var_password_pam_dcredit=1
@@ -330,7 +329,6 @@ selections:
- var_accounts_max_concurrent_login_sessions=10
- var_accounts_maximum_age_login_defs=60
- var_accounts_minimum_age_login_defs=7
- - var_accounts_password_minlen_login_defs=6
- var_accounts_password_warn_age_login_defs=7
- var_accounts_tmout=10_min
- var_password_pam_difok=8
diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile
index 13f79781d6e..12a3a25013a 100644
--- a/products/rhel7/profiles/rht-ccp.profile
+++ b/products/rhel7/profiles/rht-ccp.profile
@@ -14,7 +14,6 @@ selections:
- file_owner_logfiles_value=root
- file_groupowner_logfiles_value=root
- sshd_idle_timeout_value=5_minutes
- - var_accounts_password_minlen_login_defs=6
- var_accounts_minimum_age_login_defs=7
- var_accounts_passwords_pam_faillock_deny=5
- var_accounts_password_warn_age_login_defs=7
@@ -43,7 +42,6 @@ selections:
- no_empty_passwords
- accounts_password_all_shadowed
- accounts_no_uid_except_zero
- - accounts_password_minlen_login_defs
- accounts_minimum_age_login_defs
- accounts_password_warn_age_login_defs
- accounts_password_pam_retry
From f513f5c2ce4d799a64c0535174aba21fbb5bd958 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 4 Jul 2022 16:39:51 +0200
Subject: [PATCH 4/7] remove rule and variable from Fedora profiles
---
products/fedora/profiles/ospp.profile | 1 -
products/fedora/profiles/standard.profile | 2 --
2 files changed, 3 deletions(-)
diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile
index 49bb4bf8529..42a17b419a2 100644
--- a/products/fedora/profiles/ospp.profile
+++ b/products/fedora/profiles/ospp.profile
@@ -29,7 +29,6 @@ selections:
- var_selinux_state=enforcing
- var_password_pam_minlen=12
- accounts_password_pam_minlen
- - accounts_password_minlen_login_defs
- var_password_pam_ocredit=1
- accounts_password_pam_ocredit
- var_password_pam_dcredit=1
diff --git a/products/fedora/profiles/standard.profile b/products/fedora/profiles/standard.profile
index 37087083996..ffd385fb7ce 100644
--- a/products/fedora/profiles/standard.profile
+++ b/products/fedora/profiles/standard.profile
@@ -26,8 +26,6 @@ selections:
- accounts_password_all_shadowed
- gid_passwd_group_same
- no_netrc_files
- - var_accounts_password_minlen_login_defs=12
- - accounts_password_minlen_login_defs
- var_accounts_minimum_age_login_defs=7
- accounts_minimum_age_login_defs
- var_accounts_maximum_age_login_defs=90
From 8dc814b2ae523c13fa6ed117e5b4e1e78b813f8c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 4 Jul 2022 16:40:06 +0200
Subject: [PATCH 5/7] remove rule and variable from control files
---
controls/anssi.yml | 3 ---
controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml | 2 --
controls/stig_rhel8.yml | 4 +---
3 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 549ae2994ca..ed840cc5292 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -343,9 +343,6 @@ controls:
# Ensure passwords with minimum of 18 characters
- var_password_pam_minlen=18
- accounts_password_pam_minlen
- # Enforce password lenght for new accounts
- - var_accounts_password_minlen_login_defs=18
- - accounts_password_minlen_login_defs
# Require at Least 1 Special Character in Password
- var_password_pam_ocredit=1
- accounts_password_pam_ocredit
diff --git a/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml b/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml
index 85ae75210ba..ed2aa7ed196 100644
--- a/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml
+++ b/controls/srg_gpos/SRG-OS-000078-GPOS-00046.yml
@@ -6,7 +6,5 @@ controls:
rules:
- accounts_password_pam_enforce_root
- accounts_password_pam_minlen
- - accounts_password_minlen_login_defs
- var_password_pam_minlen=15
- - var_accounts_password_minlen_login_defs=15
status: automated
diff --git a/controls/stig_rhel8.yml b/controls/stig_rhel8.yml
index 4e2d27c3910..d866b194a0f 100644
--- a/controls/stig_rhel8.yml
+++ b/controls/stig_rhel8.yml
@@ -1140,9 +1140,7 @@ controls:
levels:
- medium
title: RHEL 8 passwords for new users must have a minimum of 15 characters.
- rules:
- - accounts_password_minlen_login_defs
- status: automated
+ status: inherently met
- id: RHEL-08-020240
levels:
- medium
From 23b296d8428d6e8f9dd16cf7b0c37a469f904ce8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 4 Jul 2022 16:41:15 +0200
Subject: [PATCH 6/7] update profile stability tests
---
tests/data/profile_stability/rhel8/ospp.profile | 2 --
tests/data/profile_stability/rhel8/stig.profile | 2 --
tests/data/profile_stability/rhel8/stig_gui.profile | 2 --
3 files changed, 6 deletions(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 5757acf030e..5d73a8c6fef 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -23,7 +23,6 @@ metadata:
reference: https://www.niap-ccevs.org/Profile/PP.cfm
selections:
- accounts_max_concurrent_login_sessions
-- accounts_password_minlen_login_defs
- accounts_password_pam_dcredit
- accounts_password_pam_difok
- accounts_password_pam_lcredit
@@ -248,7 +247,6 @@ selections:
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_system_crypto_policy=fips_ospp
-- var_accounts_password_minlen_login_defs=12
- var_password_pam_minlen=12
- var_password_pam_ocredit=1
- var_password_pam_dcredit=1
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 5a304768288..9c9ceae6b2c 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -42,7 +42,6 @@ selections:
- accounts_minimum_age_login_defs
- accounts_no_uid_except_zero
- accounts_password_all_shadowed_sha512
-- accounts_password_minlen_login_defs
- accounts_password_pam_dcredit
- accounts_password_pam_dictcheck
- accounts_password_pam_difok
@@ -429,7 +428,6 @@ selections:
- var_password_pam_remember_control_flag=required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
-- var_accounts_password_minlen_login_defs=15
- var_password_pam_unix_rounds=5000
- var_password_pam_minlen=15
- var_password_pam_ocredit=1
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 98bfa495ad1..f6a66f6069b 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -53,7 +53,6 @@ selections:
- accounts_minimum_age_login_defs
- accounts_no_uid_except_zero
- accounts_password_all_shadowed_sha512
-- accounts_password_minlen_login_defs
- accounts_password_pam_dcredit
- accounts_password_pam_dictcheck
- accounts_password_pam_difok
@@ -437,7 +436,6 @@ selections:
- var_password_pam_remember_control_flag=required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
-- var_accounts_password_minlen_login_defs=15
- var_password_pam_unix_rounds=5000
- var_password_pam_minlen=15
- var_password_pam_ocredit=1
From 0763b1aa2a5e4ee043d0ff2e30ef71d122d58e0d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 4 Jul 2022 16:41:33 +0200
Subject: [PATCH 7/7] remove no longer applicable references from the rule
---
.../accounts_password_minlen_login_defs/rule.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
index 49a7816b8cc..fdd851043bc 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -45,10 +45,8 @@ references:
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
nist: IA-5(f),IA-5(1)(a),CM-6(a)
nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
- ospp: FMT_MOF_EXT.1
srg: SRG-OS-000078-GPOS-00046
stigid@ol8: OL08-00-020231
- stigid@rhel8: RHEL-08-020231
ocil_clause: 'it is not set to the required value'

21
scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch
View File

@ -1,21 +0,0 @@
From a607fe9715106b88511fd664b320ee63f6497ede Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jul 2022 14:07:25 +0200
Subject: [PATCH] remove rule from rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 75e5b0f5ed4..4ba874db90f 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -58,7 +58,6 @@ selections:
# sshd
- sshd_use_directory_configuration
- sshd_disable_root_login
- - sshd_enable_strictmodes
- disable_host_auth
- sshd_disable_empty_passwords
- sshd_disable_kerb_auth

30
scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
View File

@ -1,30 +0,0 @@
From 5b0ff05c2377a8a8a5ef13d34fc71ce0587ed6df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 1 Jul 2022 13:04:48 +0200
Subject: [PATCH] Remove sysctl_fs_protected_* rules from RHEL 9 OSPP
The sysctl_fs_protected_hardlinks and sysctl_fs_protected_symlinks rules
reenforce the RHEL 9 default value. While that protection is useful,
there is no specific OSPP SFR or other reason for the SCAP rules in the
OSPP profile.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2081719
---
products/rhel9/profiles/ospp.profile | 4 ----
1 file changed, 4 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 1fad0031749..5536dd7b2b6 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -141,10 +141,6 @@ selections:
- sysctl_net_core_bpf_jit_harden
- service_kdump_disabled
- ## File System Settings
- - sysctl_fs_protected_hardlinks
- - sysctl_fs_protected_symlinks
-
### Audit
- service_auditd_enabled
- var_auditd_flush=incremental_async

330
scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch
View File

@ -1,330 +0,0 @@
From d303ee9d0dcdf1d1fa57b50454aa2a9692381e93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 15:46:31 +0200
Subject: [PATCH 1/5] Create rule grub2_disable_recovery
Create a rule that only checks for the GRUB_DISABLE_RECOVERY=true
option in /etc/default/grub. The rule is similar to
grub2_disable_interactive_boot, but that one in addition checks
for systemd.confirm_spawn. This is introduced for OSPP.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809
---
.../grub2_disable_recovery/ansible/shared.yml | 20 +++++++++
.../grub2_disable_recovery/bash/shared.sh | 13 ++++++
.../grub2_disable_recovery/oval/shared.xml | 9 ++++
.../grub2_disable_recovery/rule.yml | 43 +++++++++++++++++++
.../tests/correct_value.pass.sh | 3 ++
.../tests/wrong_value.fail.sh | 3 ++
shared/references/cce-redhat-avail.txt | 1 -
7 files changed, 91 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
new file mode 100644
index 00000000000..f6285cb13cb
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
@@ -0,0 +1,20 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Verify GRUB_DISABLE_RECOVERY=true
+ lineinfile:
+ path: /etc/default/grub
+ regexp: '^GRUB_DISABLE_RECOVERY=.*'
+ line: 'GRUB_DISABLE_RECOVERY=true'
+ state: present
+
+{{% if product in ['sle12', 'sle15'] %}}
+- name: Update grub defaults and the bootloader menu
+ command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
+{{% else %}}
+- name: Update grub defaults and the bootloader menu
+ command: /sbin/grubby --update-kernel=ALL
+{{% endif -%}}
\ No newline at end of file
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
new file mode 100644
index 00000000000..78322e63446
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then
+ sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
+else
+ echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
+fi
+
+{{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
new file mode 100644
index 00000000000..10adbe0a30b
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
@@ -0,0 +1,9 @@
+<def-group>
+ <definition class="compliance" id="grub2_disable_recovery" version="1">
+ {{{ oval_metadata("Recovery mode should be disabled.") }}}
+ <criteria operator="AND">
+ <extend_definition definition_ref="bootloader_disable_recovery_set_to_true"
+ comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
+ </criteria>
+ </definition>
+</def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
new file mode 100644
index 00000000000..4f8d4ddcfde
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -0,0 +1,43 @@
+documentation_complete: true
+
+title: 'Disable Recovery Booting'
+
+description: |-
+ {{{ full_name }}} systems support an "recovery boot" option that can be used
+ to prevent services from being started. The <tt>GRUB_DISABLE_RECOVERY</tt>
+ configuration option in <tt>/etc/default/grub</tt> should be set to
+ <tt>true</tt> to disable the generation of recovery mode menu entries. It is
+ also required to change the runtime configuration, run:
+ <pre>$ sudo {{{ grub_command("update") }}}</pre>
+
+rationale: |-
+ Using recovery boot, the console user could disable auditing, firewalls,
+ or other services, weakening system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-85986-8
+
+references:
+ ospp: FIA_UAU.1
+
+ocil_clause: 'GRUB_DISABLE_RECOVERY is not set to true or is missing'
+
+ocil: |-
+ Verify that <tt>GRUB_DISABLE_RECOVERY</tt> is set to </tt>true</tt> in <tt>/etc/default/grub</tt> to disable recovery boot.
+ Run the following command:
+
+ $ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub
+
+fixtext: |-
+ Configure the GRUB 2 boot loader to disable recovery mode boot loader entries.
+ Add or edit the following line in /etc/default/grub:
+
+ GRUB_DISABLE_RECOVERY=true
+
+ Then, run the following command:
+
+ $ sudo {{{ grub_command("update") }}}
+
+platform: grub2
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..cb8824a6bef
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
\ No newline at end of file
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..7241fd5aad6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'
\ No newline at end of file
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ee246384416..431b133d416 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -44,7 +44,6 @@ CCE-85982-7
CCE-85983-5
CCE-85984-3
CCE-85985-0
-CCE-85986-8
CCE-85988-4
CCE-85997-5
CCE-85998-3
From 5637b1465c1ceb40efb33ebdd2cf8b4211a4ef9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 15:52:10 +0200
Subject: [PATCH 2/5] Stop checking systemd.confirm_spawn in RHEL 9 OSPP
Use grub2_disable_recovery instead of grub2_disable_interactive_boot
to check solely for the GRUB_DISABLE_RECOVERY=true config option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 534b3312575..8245bb9ce63 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -275,7 +275,7 @@ selections:
## Disable Unauthenticated Login (such as Guest Accounts)
## FIA_UAU.1
- require_singleuser_auth
- - grub2_disable_interactive_boot
+ - grub2_disable_recovery
- grub2_uefi_password
- no_empty_passwords
From 09f11408ed83da07238ad5fccf89d59b4b2707fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 16:05:22 +0200
Subject: [PATCH 3/5] Fix regular expression
The original expression `^true|"true"$` could match things like
`truex` or `x"true"` because the first alternative doesn't contain
`$` and the second alternative doesn't contain `^`.
---
shared/checks/oval/bootloader_disable_recovery_set_to_true.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
index 563006cd803..ff64177d6df 100644
--- a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
+++ b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
@@ -31,7 +31,7 @@
<ind:textfilecontent54_state id="state_bootloader_disable_recovery_argument"
version="1">
- <ind:subexpression datatype="string" operation="pattern match">^true|"true"$</ind:subexpression>
+ <ind:subexpression datatype="string" operation="pattern match">^(true|"true")$</ind:subexpression>
</ind:textfilecontent54_state>
</def-group>
From 2900fb986dc21ec4ce78a8b9f27f89b4d8fafbee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 17:18:37 +0200
Subject: [PATCH 4/5] Improve a regular expression
According to
https://www.freedesktop.org/software/systemd/man/systemd.html#systemd.confirm_spawn
the option systemd.confirm_spawn can be also specified without an
argument, with the same effect as a positive boolean. This commit
changes the regular expression used in checks for this, forbidding also
the occurence of systemd.confirm_spawn without any argument. Also
improves whitespace handling. Also adds a test scenario covering the
situation in which the systemd.confirm_spawn is also specified without
an argument.
---
.../oval/shared.xml | 2 +-
...led_interactive_boot_empty_boolean.fail.sh | 25 +++++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
index 837fc037300..e7358a49fa9 100644
--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
@@ -25,7 +25,7 @@
<ind:textfilecontent54_object id="object_grub2_disable_interactive_boot_grub_cmdline_linux"
version="1">
<ind:filepath>/etc/default/grub</ind:filepath>
- <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh
new file mode 100644
index 00000000000..37a12f021e4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# The option systemd.confirm_spawn can be also specified without an argument,
+# with the same effect as a positive boolean.
+CONFIRM_SPAWN_OPT="systemd.confirm_spawn"
+
+if grep -q "^GRUB_CMDLINE_LINUX=" /etc/default/grub; then
+ if grep -q "^GRUB_CMDLINE_LINUX=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then
+ sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub
+ else
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub
+ fi
+else
+ echo "GRUB_CMDLINE_LINUX=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub
+fi
+
+if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub; then
+ if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then
+ sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub
+ else
+ sed -i "s/\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub
+ fi
+else
+ echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub
+fi
From 3cf7a22b59f52b2149d3ce54ef6bcd94ba9f8901 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 17:36:07 +0200
Subject: [PATCH 5/5] Fix missing newlines at EOF
---
.../bootloader-grub2/grub2_disable_recovery/ansible/shared.yml | 2 +-
.../grub2_disable_recovery/tests/correct_value.pass.sh | 2 +-
.../grub2_disable_recovery/tests/wrong_value.fail.sh | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
index f6285cb13cb..4348e239f2e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
@@ -17,4 +17,4 @@
{{% else %}}
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL
-{{% endif -%}}
\ No newline at end of file
+{{% endif -%}}
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
index cb8824a6bef..e8fa3574436 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
@@ -1,3 +1,3 @@
#!/bin/bash
-echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
\ No newline at end of file
+echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
index 7241fd5aad6..20392dc7f7a 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
@@ -1,3 +1,3 @@
#!/bin/bash
-echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'
\ No newline at end of file
+echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'

27
scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch
View File

@ -1,27 +0,0 @@
From b18adf58035b2c2ce1d4259bccb52d364bf7a6a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 1 Jul 2022 15:22:03 +0200
Subject: [PATCH] Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP
Removal of the role and severity attributes will cause that
the rule will start to be evaluated and remediation will
actually disable the user namespaces on the target system.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083716
---
products/rhel9/profiles/ospp.profile | 2 --
1 file changed, 2 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 1fad0031749..136bb163646 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -135,8 +135,6 @@ selections:
- sysctl_kernel_yama_ptrace_scope
- sysctl_kernel_perf_event_paranoid
- sysctl_user_max_user_namespaces
- - sysctl_user_max_user_namespaces.role=unscored
- - sysctl_user_max_user_namespaces.severity=info
- sysctl_kernel_unprivileged_bpf_disabled
- sysctl_net_core_bpf_jit_harden
- service_kdump_disabled

809
scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch
View File

@ -1,809 +0,0 @@
From a59040cec2adf8f81fc5784e4273e1701ca21995 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 11:45:20 +0200
Subject: [PATCH 01/20] Update OCIL for require_emergency_target_auth
Extends the OCIL text according to the OVAL check.
---
.../require_emergency_target_auth/rule.yml | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index cc0a2c53017..1d5febf54c7 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -53,7 +53,7 @@ ocil: |-
To check if authentication is required for emergency mode, run the following command:
<pre>$ grep sulogin /usr/lib/systemd/system/emergency.service</pre>
The output should be similar to the following, and the line must begin with
- {{% if product in ["fedora", "rhel8", "rhel9", "ol8"] -%}}
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
<pre>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency</pre>
{{%- else -%}}
@@ -61,4 +61,20 @@ ocil: |-
<pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
{{%- endif %}}
+ Then, check if the emergency target requires the emergency service:
+ Run the following command:
+ <pre>$ sudo grep Requires /usr/lib/systemd/system/emergency.target</pre>
+ The output should be the following:
+ <pre>Requires=emergency.service</pre>
+
+ Then, check if there is no custom emergency target configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r emergency.target /etc/systemd/system/</pre>
+ The output should be empty.
+
+ Then, check if there is no custom emergency service configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r emergency.service /etc/systemd/system/</pre>
+ The output should be empty.
+
platform: machine
From 16c898ce4b960e33088b025f1ea0a8e432ae01a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 11:46:19 +0200
Subject: [PATCH 02/20] Add fixtext to require_emergency_target_auth
---
.../require_emergency_target_auth/rule.yml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index 1d5febf54c7..c4860915b67 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -78,3 +78,13 @@ ocil: |-
The output should be empty.
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to require authentication for system emergency mode.
+
+ Add or edit the following line in "/usr/lib/systemd/system/emergency.service":
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+ {{%- else -%}}
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}}
From 836497f3b9c9b1a206023f7aa16d2df8a025ece3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 13:43:16 +0200
Subject: [PATCH 03/20] Align OCIL with OVAL for require_singleuser_auth
---
.../require_singleuser_auth/rule.yml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index 8d7a4fa7b74..cbd048aad0a 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -70,4 +70,22 @@ ocil: |-
<pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
{{%- endif %}}
+ {{% if product not in ["ol8", "rhel8"] %}}
+ Then, verify that the rescue service is in the runlevel1.target.
+ Run the following command:
+ <pre>$ sudo grep "^Requires=.*rescue.service" /usr/lib/systemd/system/runlevel1.target</pre>
+ The output should be the following:
+ <pre>Requires=sysinit.target rescue.service</pre>
+
+ Then, check if there is no custom runlevel1 target configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r "^runlevel1.target$" /etc/systemd/system</pre>
+ There should be no output.
+
+ Then, check if there is no custom rescue service configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r "^rescue.service$" /etc/systemd/system</pre>
+ There should be no output.
+ {{% endif %}}
+
platform: machine
From 11715c35c9cdbfdc7ed4c30a8612a125ec3c77e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 13:43:30 +0200
Subject: [PATCH 04/20] Add fixtext to require_singleuser_auth
---
.../require_singleuser_auth/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index cbd048aad0a..3a0cad455cc 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -89,3 +89,20 @@ ocil: |-
{{% endif %}}
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to require authentication in single user mode.
+
+ {{% if init_system == "systemd" -%}}
+ Add or update the following line in "/usr/lib/systemd/system/rescue.service":
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+ {{%- elif product in ["rhel7"] -%}}
+ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- else -%}}
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}}
+ {{%- else -%}}
+ Add or update the following line in "/etc/sysconfig/init":
+ SINGLE=/sbin/sulogin
+ {{%- endif %}}
From ad14aee19d11dc99ead242535281d56791bfc213 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 14:15:12 +0200
Subject: [PATCH 05/20] Update OCIL in grub2_admin_username
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index a43d5fcc038..0c824434e07 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -52,17 +52,17 @@ references:
stigid@rhel7: RHEL-07-010483
stigid@rhel8: RHEL-08-010149
-ocil_clause: 'it does not'
+ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
command:
- <pre>sudo grep -A1 "superusers" /etc/grub2.cfg</pre>
+ <pre>sudo grep -A1 "superusers" {{{ grub2_boot_path + "/grub.cfg" }}}</pre>
The output should show the following:
<pre>set superusers="<b>superusers-account</b>"
export superusers</pre>
where superusers-account is the actual account name different from common names like root,
- admin, or administrator.
+ admin, or administrator and different from any other existing user name.
warnings:
- general: |-
From 7ee002478c778fd271aa2c289e74d14aa2853355 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 14:15:28 +0200
Subject: [PATCH 06/20] Add fixtext for grub2_admin_username
---
.../non-uefi/grub2_admin_username/rule.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 0c824434e07..a813b417a00 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -73,3 +73,14 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
+
+ set superusers="<unique_user_id>"
+ export superusers
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 9f5a6d48ef97180e7720dc066c83409633c80899 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:04:21 +0200
Subject: [PATCH 07/20] Align OCIL with OVAL in grub2_password
---
.../non-uefi/grub2_password/rule.yml | 35 ++++++-------------
1 file changed, 10 insertions(+), 25 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index ad515a65ee7..268f48a16c1 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -77,33 +77,18 @@ references:
stigid@sle15: SLES-15-010190
stigid@ubuntu2004: UBTU-20-010009
-ocil_clause: 'it does not'
+ocil_clause: 'it does not produce any output'
ocil: |-
- To verify the boot loader superuser password has been set, run the following
- command:
- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
- <pre>sudo grep "boot" {{{ grub2_boot_path }}}/grub.cfg</pre>
- {{% else %}}
- <pre>sudo grep "superusers" /etc/grub2.cfg</pre>
- {{% endif %}}
- The output should show the following:
- <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
- To verify the boot loader superuser account password has been set,
- and the password encrypted, run the following command:
- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
- <pre>sudo cat /etc/grub.d/40_custom</pre>
- The output should be similar to:
- <pre>set superusers="boot"
- password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088</pre>
- {{% else %}}
- <pre>sudo cat {{{ grub2_boot_path }}}/user.cfg</pre>
- The output should be similar to:
- <pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
- 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
- 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
- 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% endif %}}
+ First, check whether the password is defined in either {{{ grub2_boot_path }}}/user.cfg or
+ {{{ grub2_boot_path }}}/grub.cfg.
+ Run the following commands:
+ <pre>$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/user.cfg
+ $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/grub.cfg
+ </pre>
+
+ Second, check that a superuser is defined in {{{ grub2_boot_path }}}/grub.cfg.
+ <pre>$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' {{{ grub2_boot_path }}}/grub.cfg</pre>
warnings:
- general: |-
From 1bd446ee0efb4cefeaaca7a1808e7de703f2b1be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:04:34 +0200
Subject: [PATCH 08/20] Add fixtext for grub2_password
Adopted from the RHEL 8 STIG spreadsheet.
---
.../non-uefi/grub2_password/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 268f48a16c1..4a7e0694884 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -99,3 +99,20 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Generate an encrypted grub2 password for the grub superuser account with the following command:
+
+ $ sudo grub2-setpassword
+ Enter password:
+ Confirm password:
+
+ Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
+
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 85cc9f300c860e456996fa8cf7aec2532bb88a08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:12 +0200
Subject: [PATCH 09/20] Fix a typo
---
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 17b4918c5f5..fcf9031fa93 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -15,7 +15,7 @@ description: |-
admin, or administrator for the grub2 superuser account.
<br /><br />
Change the superuser to a different username (The default is 'root').
- <pre>$ sed -i 's/\(set superuser=\).*/\1"&lt;unique user ID&gt;"/g' /etc/grub.d/01_users</pre>
+ <pre>$ sed -i 's/\(set superusers=\).*/\1"&lt;unique user ID&gt;"/g' /etc/grub.d/01_users</pre>
<br /><br />
Once the superuser account has been added,
update the
From e3d765df471350cbcc629d67439902b8189cde14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:44 +0200
Subject: [PATCH 10/20] Align OCIL with OVAL in grub2_uefi_admin_username
---
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index fcf9031fa93..c76d086c5f2 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -64,12 +64,12 @@ ocil_clause: 'it does not'
ocil: |-
To verify the boot loader superuser account has been set, run the following
command:
- <pre>sudo grep -A1 "superusers" /etc/grub2-efi.cfg</pre>
+ <pre>sudo grep -A1 "superusers" {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should show the following:
<pre>set superusers="<b>superusers-account</b>"
export superusers</pre>
where superusers-account is the actual account name different from common names like root,
- admin, or administrator.
+ admin, or administrator and different from any other existing user name.
warnings:
- general: |-
From d8cb9ec4ae23535a04ae5715c9dfbf94126082f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:57 +0200
Subject: [PATCH 11/20] Add fixtext in grub2_uefi_admin_username
---
.../uefi/grub2_uefi_admin_username/rule.yml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index c76d086c5f2..2a4556c1659 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -80,3 +80,16 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Select a password-protected superuser account with unique name, and modify the
+ "/etc/grub.d/01_users" configuration file to reflect the account name change.
+
+ Add or edit the following line in /etc/grub.d/01_users:
+
+ set superusers=<unique user id>
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 73a5e86cbfc77fa8344499347c074b5f04e32a0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 17:55:09 +0200
Subject: [PATCH 12/20] Align OCIL with OVAL in grub2_uefi_password
---
.../uefi/grub2_uefi_password/rule.yml | 30 +++----------------
1 file changed, 4 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 4579b1ff2e7..ee4f6c1470a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -77,39 +77,17 @@ references:
stigid@sle15: SLES-15-010200
stigid@ubuntu2004: UBTU-20-010009
-ocil_clause: 'it does not'
+ocil_clause: 'no password is set'
ocil: |-
- To verify the boot loader superuser password has been set, run the following
- command:
- {{% if product in ["sle12", "sle15", "ubuntu2004"] %}}
- <pre>sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom</pre>
- {{% else %}}
- <pre>sudo grep "password" /etc/grub2-efi.cfg</pre>
- {{% endif %}}
- The output should show the following:
- <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
- To verify the boot loader superuser account password has been set,
- and the password encrypted, run the following command:
- {{% if product in ["sle12", "sle15"] %}}
- <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- The output should be similar to:
- <pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
- 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
- 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
- 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% elif "ubuntu" in product %}}
- <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- The output should contain something similar to:
- <pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
- {{% else %}}
- <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
+ To verify the boot loader superuser password has been set, run the following command:
+ $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" {{{ grub2_uefi_boot_path }}}/user.cfg
The output should be similar to:
<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% endif %}}
+
warnings:
- general: |-
From 5332d2961da8f14965d9b6b32ea0d4f5a7c2b817 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 17:55:31 +0200
Subject: [PATCH 13/20] Add fixtext in grub2_uefi_password
---
.../uefi/grub2_uefi_password/rule.yml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index ee4f6c1470a..4ed65d5f68d 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -98,3 +98,18 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to use a secure UEFI boot loader password.
+
+ Run the following command:
+ $ sudo grub2-setpassword
+
+ When prompted, enter the password that was selected.
+ Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content:
+
+ set superusers="boot"
+ password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
+
+ Then, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From f1fae705e533ec0f4d4e83518f581dadd1552e2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 26 Apr 2022 08:43:08 +0200
Subject: [PATCH 14/20] Fix a typo
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index a813b417a00..88551a068bf 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -52,7 +52,7 @@ references:
stigid@rhel7: RHEL-07-010483
stigid@rhel8: RHEL-08-010149
-ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name'
+ocil_clause: 'superuser account is not set or is set to root, admin, administrator or any other existing user name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
From 5f6cbfc9440e029526b86e448b51ab39e6bf6c35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:07:51 +0200
Subject: [PATCH 15/20] Add an update operation to macro grub_command
---
shared/macros/general.jinja | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/shared/macros/general.jinja b/shared/macros/general.jinja
index 3802ea40eea..df4c696d3ca 100644
--- a/shared/macros/general.jinja
+++ b/shared/macros/general.jinja
@@ -1071,17 +1071,17 @@ p+i+n+u+g+s+b+acl+xattrs+sha512
{{#
-Macro to generate a command to modify (add or remove) kernel command line argument in a GRUB 2 bootloader.
+Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader.
Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.)
Part of the grub2_bootloader_argument(_absent) templates.
-:param action: What to do with the argument, either "add" or "remove".
+:param action: What to do with the argument, must be one of: "update", "add", "remove".
:type action str:
:param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit".
:type arg_name_value str:
#}}
-{{% macro grub_command(action, arg_name_value) -%}}
+{{% macro grub_command(action, arg_name_value=None) -%}}
{{%- if 'ubuntu' in product -%}}
{{%- set grub_helper_executable = "update-grub" -%}}
{{%- set grub_helper_args = [] -%}}
@@ -1090,7 +1090,9 @@ Part of the grub2_bootloader_argument(_absent) templates.
{{%- set grub_helper_args = ["-o " + grub2_boot_path + "/grub2.cfg"] -%}}
{{%- else -%}}
{{%- set grub_helper_executable = "grubby" -%}}
- {{%- if action == "add" -%}}
+ {{%- if action == "update" -%}}
+ {{%- set grub_helper_args = ["--update-kernel=ALL"] -%}}
+ {{%- elif action == "add" -%}}
{{%- set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ arg_name_value ] -%}}
{{%- elif action == "remove" -%}}
{{%- set grub_helper_args = ["--update-kernel=ALL", "--remove-args=" ~ arg_name_value ] -%}}
From 591cc74770433614595326a514e459a4efb7f491 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:08:54 +0200
Subject: [PATCH 16/20] Use grub_command macro in rules in
SRG-OS-000080-GPOS-00048
---
.../non-uefi/grub2_admin_username/rule.yml | 5 +++--
.../bootloader-grub2/non-uefi/grub2_password/rule.yml | 9 +++------
.../uefi/grub2_uefi_admin_username/rule.yml | 5 +++--
.../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 9 +++------
4 files changed, 12 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 88551a068bf..5557664f8be 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+ <pre>{{{ grub_command("update") }}}</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
@@ -83,4 +83,5 @@ fixtext: |-
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 4a7e0694884..43c63b56ffc 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -28,11 +28,7 @@ description: |-
Once the superuser password has been added,
update the
<tt>grub.cfg</tt> file by running:
- {{% if "ubuntu" in product %}}
- <pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- {{% endif %}}
+ <pre>{{{ grub_command("update") }}}</pre>
{{% endif %}}
rationale: |-
@@ -115,4 +111,5 @@ fixtext: |-
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 2a4556c1659..bd07ab2ee29 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
+ <pre>{{{ grub_command("update") }}}</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
@@ -92,4 +92,5 @@ fixtext: |-
set superusers=<unique user id>
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 4ed65d5f68d..98144a9e651 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -28,11 +28,7 @@ description: |-
Once the superuser password has been added,
update the
<tt>grub.cfg</tt> file by running:
- {{% if "ubuntu" in product %}}
- <pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- {{% endif %}}
+ <pre>{{{ grub_command("update") }}}</pre>
{{% endif %}}
rationale: |-
@@ -112,4 +108,5 @@ fixtext: |-
password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
Then, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
From b2fce574abb7cf4bf72058023646178cd574ff90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:09:14 +0200
Subject: [PATCH 17/20] Update OCIL
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 5557664f8be..ccf7ca74932 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -79,7 +79,7 @@ fixtext: |-
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
- set superusers="<unique_user_id>"
+ set superusers="superusers-account"
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index bd07ab2ee29..61e2e4e066f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -59,7 +59,7 @@ references:
stigid@rhel7: RHEL-07-010492
stigid@rhel8: RHEL-08-010141
-ocil_clause: 'it does not'
+ocil_clause: 'superuser account is not set or is set to an existing name or to a common name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
@@ -89,7 +89,7 @@ fixtext: |-
Add or edit the following line in /etc/grub.d/01_users:
- set superusers=<unique user id>
+ set superusers="superusers-account"
Once the superuser account has been added, update the grub.cfg file by running:
From 1cefb7749a4ec5fabd27a53e15096ab44a566a16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:19:19 +0200
Subject: [PATCH 18/20] Use a unique account name for the superusers account
---
.../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 98144a9e651..58fb77ab98f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -103,9 +103,10 @@ fixtext: |-
When prompted, enter the password that was selected.
Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content:
+ Use a unique account name for the superusers account.
- set superusers="boot"
- password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
+ set superusers="superusers-account"
+ password_pbkdf2 superusers-account grub.pbkdf2.sha512.$password_hash
Then, update the grub.cfg file by running:
From 1cbaba853c2dbff8cd9ba55117d6f46fd5e9ab58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 6 May 2022 13:51:29 +0200
Subject: [PATCH 19/20] Apply suggestions from code review
Co-authored-by: Matthew Burket <m@tthewburket.com>
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index ccf7ca74932..7a9f397f744 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -75,7 +75,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure the system to have a unique username for the grub superuser account.
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 61e2e4e066f..8d6ebad550c 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -82,7 +82,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure the system to have a unique username for the grub superuser account.
Select a password-protected superuser account with unique name, and modify the
"/etc/grub.d/01_users" configuration file to reflect the account name change.
From e73fefa9548264d24959284fd2447ef0bc474d6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 9 May 2022 08:33:54 +0200
Subject: [PATCH 20/20] Replace the system by full name
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 7a9f397f744..14bdfd57a6d 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -75,7 +75,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to have a unique username for the grub superuser account.
+ Configure {{{ full_name }}} to have a unique username for the grub superuser account.
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 43c63b56ffc..211d8b28a84 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -97,7 +97,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account.
Generate an encrypted grub2 password for the grub superuser account with the following command:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 8d6ebad550c..d36dbcbb187 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -82,7 +82,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to have a unique username for the grub superuser account.
+ Configure {{{ full_name }}} to have a unique username for the grub superuser account.
Select a password-protected superuser account with unique name, and modify the
"/etc/grub.d/01_users" configuration file to reflect the account name change.

21
scap-security-guide.spec
View File

@ -5,8 +5,8 @@
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly # global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.62 Version: 0.1.63
Release: 2%{?dist} Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
@ -24,20 +24,6 @@ BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML BuildRequires: python%{python3_pkgversion}-PyYAML
Requires: xml-common, openscap-scanner >= 1.2.5 Requires: xml-common, openscap-scanner >= 1.2.5
Patch0: scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
Patch1: scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch
Patch2: scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch
Patch3: scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch
Patch4: scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch
Patch5: scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch
Patch6: scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch
Patch7: scap-security-guide-0.1.63-add_grub2_systemd_debug-shell_argument_absent-PR_9100.patch
Patch8: scap-security-guide-0.1.63-remove_rule_login_defs_min_size-PR_9113.patch
Patch9: scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch
Patch10: scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch
Patch11: scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch
Patch12: scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
%description %description
The scap-security-guide project provides a guide for configuration of the The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is specified system from the final system's security point of view. The guidance is specified
@ -112,6 +98,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif %endif
%changelog %changelog
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2 * Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719) - Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154) - Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)

2
sources
View File

@ -1 +1 @@
SHA512 (scap-security-guide-0.1.62.tar.bz2) = b8cdd76ad0c09c9257121283df6e5a8f2acd6c9734ff9b577673ce8ff04af8a1b9ceb37621cb8bd0873391f771844e0479954850ae77b442c780206b957a0e09 SHA512 (scap-security-guide-0.1.63.tar.bz2) = ad2f7f873af22b0bc2916d8487f6d5621c65495c4c84a0a4e8c98969d5edd2a0833e956b32c19c893e1852b15adc65af24bb4fea7db71b3042c5e1b512a3957b