rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import scap-security-guide-0.1.50-14.el8

This commit is contained in:
CentOS Sources 2020-11-03 06:56:01 -05:00 committed by Andrew Lukoshko
parent 41c5266b38
commit 156c539340
42 changed files with 5412 additions and 4201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/scap-security-guide-0.1.48.tar.bz2
SOURCES/scap-security-guide-0.1.50.tar.bz2

2
.scap-security-guide.metadata
View File

@ -1 +1 @@
a8f9874a8f1df4c66e45daa6fa6c41d1ac8df934 SOURCES/scap-security-guide-0.1.48.tar.bz2
1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2

22
SOURCES/disable-not-in-good-shape-profiles.patch
View File

@ -8,8 +8,6 @@ Also disable tables for profiles that are not built.
---
rhel8/CMakeLists.txt | 2 --
rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/cui.profile | 2 +-
rhel8/profiles/hipaa.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
@ -40,26 +38,6 @@ index 05ea9cdd6..9c55ac5b1 100644
title: 'Criminal Justice Information Services (CJIS) Security Policy'
diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile
index eb62252a4..e8f369708 100644
--- a/rhel8/profiles/cui.profile
+++ b/rhel8/profiles/cui.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
index 8d20f9019..d641b56fe 100644
--- a/rhel8/profiles/hipaa.profile
+++ b/rhel8/profiles/hipaa.profile
@@ -1,4 +1,4 @@
-documentation_complete: True
+documentation_complete: false
title: 'Health Insurance Portability and Accountability Act (HIPAA)'
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile

21
SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch
View File

@ -1,21 +0,0 @@
From 3c7332c8245fe3f356557619f59a9218a50e7dfa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 Feb 2020 13:53:46 +0100
Subject: [PATCH] Add CCE identifier for openssh-server installed
---
.../guide/services/ssh/package_openssh-server_installed/rule.yml | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index ba013ec509..cecd6514fb 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: 80215-7
+ cce@rhel8: 83303-8
references:
disa: 2418,2420,2421,2422

150
SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch
View File

@ -1,150 +0,0 @@
From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 5 Feb 2020 10:23:44 +0100
Subject: [PATCH 1/4] Add and fix few entries of SRG mapping.
---
.../network-uncommon/kernel_module_dccp_disabled/rule.yml | 1 +
.../permissions/partitions/mount_option_var_log_nodev/rule.yml | 1 +
.../dconf_gnome_screensaver_lock_delay/rule.yml | 2 +-
.../dconf_gnome_screensaver_lock_enabled/rule.yml | 2 +-
4 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
index 1b42b7233b..4dcbc458d1 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
@@ -37,6 +37,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
+ srg: SRG-OS-000096-GPOS-00050
{{{ complete_ocil_entry_module_disable(module="dccp") }}}
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
index 298f17d2d8..d1ec9f644e 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
@@ -28,6 +28,7 @@ identifiers:
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
+ srg: SRG-OS-000368-GPOS-00154
platform: machine
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
index b20323c1af..39aa044941 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
@@ -34,7 +34,7 @@ references:
nist-csf: PR.AC-7
ospp: FMT_MOF_EXT.1
pcidss: Req-8.1.8
- srg: OS-SRG-000029-GPOS-00010
+ srg: SRG-OS-000029-GPOS-00010
stigid@rhel7: "010110"
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
index 0380f0149f..7742b8d862 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
@@ -35,7 +35,7 @@ references:
nist-csf: PR.AC-7
ospp: FMT_MOF_EXT.1
pcidss: Req-8.1.8
- srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011
+ srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
stigid@rhel7: "010060"
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 10:33:54 +0100
Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227
The SRG is about configuring the system in accordance with security
baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs.
---
.../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 +
.../integrity/crypto/openssl_use_strong_entropy/rule.yml | 1 +
2 files changed, 2 insertions(+)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
index 4bfb72702b..62b2d01924 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
ospp: FIA_AFL.1
+ srg: SRG-OS-000480-GPOS-00227
ocil: |-
To determine whether the SSH service is configured to use strong entropy seed,
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index 8a958e93b0..47dc8953e4 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
ospp: FIA_AFL.1
+ srg: SRG-OS-000480-GPOS-00227
ocil: |-
To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 11:12:02 +0100
Subject: [PATCH 3/4] Same SRG mapping as
package_subscription-manager_installed
The package provides an interface for automation of package updates
---
.../package_dnf-plugin-subscription-manager_installed/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 6b0144fd54..8f081d9a3c 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -20,6 +20,7 @@ identifiers:
references:
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+ srg: SRG-OS-000366-GPOS-00153
ocil_clause: 'the package is not installed'
From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 11:14:35 +0100
Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item
From rule's rationale:
Binaries in pigz package are compiled without sufficient stack
protection and its ADSLR is weak.
---
.../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
index 595b78e768..bb724d916d 100644
--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
@@ -18,6 +18,9 @@ severity: low
identifiers:
cce@rhel8: 82397-1
+references:
+ srg: SRG-OS-000433-GPOS-00192
+
{{{ complete_ocil_entry_package(package="pigz") }}}
template:

23
SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
View File

@ -1,23 +0,0 @@
From 716cccfe5a253be61e2b2f46b972ae2153a09ad2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 4 Feb 2020 17:38:45 +0100
Subject: [PATCH] Add rules to configure rsyslog TLS
---
rhel8/profiles/stig.profile | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index d85e18e9d0..821cc26914 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -33,3 +33,9 @@ selections:
- encrypt_partitions
- sysctl_net_ipv4_tcp_syncookies
- clean_components_post_updating
+
+ # Configure TLS for remote logging
+ - package_rsyslog_installed
+ - package_rsyslog-gnutls_installed
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert

36
SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch
View File

@ -1,36 +0,0 @@
From 3d8e47f0bd6fc1ddf8f33b788f52a23f348f24b7 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek
<vpolasek@redhat.com>
Date: Mon, 3 Feb 2020 11:37:50 +0100
Subject: remove rsyslog rules from ospp
---
rhel8/profiles/ospp.profile | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index ef3ced501..fb653de9d 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -178,8 +178,6 @@ selections:
- package_audispd-plugins_installed
- package_scap-security-guide_installed
- package_audit_installed
- - package_rsyslog_installed
- - package_rsyslog-gnutls_installed
- package_gnutls-utils_installed
- package_nss-tools_installed
@@ -391,8 +389,7 @@ selections:
- timer_dnf-automatic_enabled
# Configure TLS for remote logging
- - rsyslog_remote_tls
- - rsyslog_remote_tls_cacert
+ # temporarily dropped
# Prevent Kerberos use by system daemons
- kerberos_disable_no_keytab
--
2.25.0

49
SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch
View File

@ -1,49 +0,0 @@
From ccd6b36cbb7ad3046fa09bdbf3aab84b1212d213 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 6 Feb 2020 11:29:31 +0100
Subject: [PATCH] Map missing SRG rules
---
.../guide/system/software/gnome/dconf_db_up_to_date/rule.yml | 3 +++
.../system-tools/package_gnutls-utils_installed/rule.yml | 1 +
.../software/system-tools/package_nss-tools_installed/rule.yml | 1 +
3 files changed, 5 insertions(+)
diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
index 3017b789f8..3e0b4fa2d1 100644
--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
@@ -20,6 +20,9 @@ identifiers:
cce@rhel8: 81003-6
cce@rhel7: 81004-4
+references:
+ srg: SRG-OS-000480-GPOS-00227
+
ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles'
ocil: |-
diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
index ebb8ad95f0..1374900664 100644
--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
+ srg: SRG-OS-000480-GPOS-00227
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
index 32c9c32893..5d0d679a1a 100644
--- a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
+ srg: SRG-OS-000480-GPOS-00227
ocil_clause: 'the package is not installed'

49
SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch
View File

@ -1,49 +0,0 @@
From 840fb94f9b371f6555536de2c32953c967c1122a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 21 Jan 2020 14:17:00 +0100
Subject: [PATCH 1/2] Don't check for path len of logs directory
The logs are not part of the tarball, nor used to build the content.
---
tests/ensure_paths_are_short.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py
index 5d4e27cb91..18d4c662ff 100755
--- a/tests/ensure_paths_are_short.py
+++ b/tests/ensure_paths_are_short.py
@@ -13,6 +13,10 @@ def main():
ssg_root = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
max_path = ""
for dir_, _, files in os.walk(ssg_root):
+ # Don't check for path len of log files
+ # They are not shipped nor used during build
+ if "tests/logs/" in dir_:
+ continue
for file_ in files:
path = os.path.relpath(os.path.join(dir_, file_), ssg_root)
if len(path) > len(max_path):
From 8d29c78efc51cc2c2da0e436b3cd9a2edb5342bc Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 21 Jan 2020 15:05:17 +0100
Subject: [PATCH 2/2] Skip only only tests/logs/ from project root
---
tests/ensure_paths_are_short.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py
index 18d4c662ff..b9e985fea0 100755
--- a/tests/ensure_paths_are_short.py
+++ b/tests/ensure_paths_are_short.py
@@ -15,7 +15,8 @@ def main():
for dir_, _, files in os.walk(ssg_root):
# Don't check for path len of log files
# They are not shipped nor used during build
- if "tests/logs/" in dir_:
+ current_relative_path = os.path.relpath(dir_, ssg_root)
+ if current_relative_path.startswith("tests/logs/"):
continue
for file_ in files:
path = os.path.relpath(os.path.join(dir_, file_), ssg_root)

593
SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch
View File

@ -1,593 +0,0 @@
From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 27 Jan 2020 11:51:53 +0100
Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper.
---
.../openssl_use_strong_entropy/rule.yml | 65 +++++++++++++++++++
rhel8/profiles/ospp.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
3 files changed, 66 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
new file mode 100644
index 0000000000..e9ea8ed338
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -0,0 +1,65 @@
+documentation_complete: true
+
+# TODO: The plan is not to need this for RHEL>=8.4
+prodtype: rhel8
+
+title: 'OpenSSL uses strong entropy source'
+
+description: |-
+ To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
+ save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+ <pre>
+ # provide a default -rand /dev/random option to openssl commands that
+ # support it
+
+ # written inefficiently for maximum shell compatibility
+ openssl()
+ (
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+ )
+ </pre>
+
+rationale: |-
+ The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
+ The referenced script is sourced to every login shell, and it transparently adds an option
+ that enforces strong entropy to every <tt>openssl</tt> invocation,
+ which makes <tt>openssl</tt> more secure by default.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82721-2
+
+references:
+ ospp: FIA_AFL.1
+
+ocil: |-
+ To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
+ make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+ that are included in the rule's description.
+
+ocil_clause: |-
+ there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+
+warnings:
+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 63aea526b7..ef3ced5010 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -59,6 +59,7 @@ selections:
- sshd_enable_warning_banner
- sshd_rekey_limit
- sshd_use_strong_rng
+ - openssl_use_strong_entropy
# Time Server
- chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4cb08794f4..1733872dfa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -248,6 +248,5 @@
CCE-82719-6
CCE-82720-4
-CCE-82721-2
CCE-82722-0
CCE-82723-8
CCE-82724-6
From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 27 Jan 2020 19:35:06 +0100
Subject: [PATCH 2/6] create checks, remediations,
---
.../ansible/shared.yml | 12 +++++++
.../openssl_use_strong_entropy/bash/shared.sh | 5 +++
.../oval/shared.xml | 34 +++++++++++++++++++
.../openssl_use_strong_entropy/rule.yml | 29 +---------------
shared/macros.jinja | 34 ++++++++++++++++++-
5 files changed, 85 insertions(+), 29 deletions(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
new file mode 100644
index 0000000000..3ce26d6525
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "copy a file with shell snippet to configure openssl strong entropy"
+ copy:
+ dest: /etc/profile.d/cc-config.sh
+ content: |+
+ {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
new file mode 100644
index 0000000000..db5c331ce7
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 8
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+{{{ openssl_strong_entropy_config_file() }}}
+EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
new file mode 100644
index 0000000000..b441b7ae6e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
@@ -0,0 +1,34 @@
+<def-group>
+ <definition class="compliance" id="openssl_use_strong_entropy" version="1">
+ <metadata>
+ <title>Configure Openssl to use strong entropy</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 8</platform>
+ <platform>multi_platform_fedora</platform>
+ </affected>
+ <description>OpenSSL should be configured to generate random data with strong entropy.</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_openssl_strong_entropy"
+ comment="Check that the OpenSSL is configured to generate random data with strong entropy." />
+ </criteria>
+ </definition>
+
+ <ind:filehash58_test id="test_openssl_strong_entropy"
+ comment="Test if openssl is configured to generate random data with strong entropy" version="1"
+ check="all" check_existence="all_exist">
+ <ind:object object_ref="object_openssl_strong_entropy"/>
+ <ind:state state_ref="state_openssl_strong_entropy"/>
+ </ind:filehash58_test>
+
+ <ind:filehash58_object id="object_openssl_strong_entropy" version="1">
+ <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ </ind:filehash58_object>
+
+ <ind:filehash58_state id="state_openssl_strong_entropy" version="1">
+ <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+ </ind:filehash58_state>
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index e9ea8ed338..3b01da01af 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -9,34 +9,7 @@ description: |-
To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
<pre>
- # provide a default -rand /dev/random option to openssl commands that
- # support it
-
- # written inefficiently for maximum shell compatibility
- openssl()
- (
- openssl_bin=/usr/bin/openssl
-
- case "$*" in
- # if user specified -rand, honor it
- *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
- esac
-
- cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
- for i in `$openssl_bin list -commands`; do
- if $openssl_bin list -options "$i" | grep -q '^rand '; then
- cmds=" $i $cmds"
- fi
- done
-
- case "$cmds" in
- *\ "$1"\ *)
- cmd="$1"; shift
- exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
- esac
-
- exec $openssl_bin "$@"
- )
+ {{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
diff --git a/shared/macros.jinja b/shared/macros.jinja
index 77f8eb31c7..8a25acc937 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned"
{{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}}
- When selecting this rule in a profile,
+ When selecting this rule in a profile,
{{%- if why %}}
make sure that rule with ID <code>{{{ rule_id }}}</code> is selected as well: {{{ why }}}
{{%- else %}}
rule <code>{{{ rule_id }}}</code> has to be selected as well.
{{%- endif %}}
{{% endmacro %}}
+
+{{% macro openssl_strong_entropy_config_file() -%}}
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+)
+
+{{%- endmacro %}}
From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Jan 2020 13:42:40 +0100
Subject: [PATCH 3/6] add tests
---
.../tests/correct.pass.sh | 34 +++++++++++++++++++
.../tests/file_missing.fail.sh | 5 +++
.../tests/file_modified.fail.sh | 5 +++
3 files changed, 44 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
new file mode 100644
index 0000000000..0bffab3c81
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+)
+EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..c1d526902c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+rm -f /etc/profile.d/cc-config.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
new file mode 100644
index 0000000000..313d14a37f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo "wrong data" > /etc/profile.d/cc-config.sh
From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Jan 2020 11:12:46 +0100
Subject: [PATCH 4/6] remove blank=true from jinja macro as rhel6 and rhel7 do
not support it
---
.../crypto/openssl_use_strong_entropy/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index 3ce26d6525..bdc530f9f5 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -8,5 +8,5 @@
copy:
dest: /etc/profile.d/cc-config.sh
content: |+
- {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+ {{{ openssl_strong_entropy_config_file()|indent(8) }}}
From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 30 Jan 2020 14:25:31 +0100
Subject: [PATCH 5/6] reword rationale, change file name
from cc-config.sh to openssl-rand.sh
change title of oval
---
.../openssl_use_strong_entropy/ansible/shared.yml | 2 +-
.../openssl_use_strong_entropy/bash/shared.sh | 2 +-
.../openssl_use_strong_entropy/oval/shared.xml | 11 ++++-------
.../crypto/openssl_use_strong_entropy/rule.yml | 14 +++++---------
.../tests/correct.pass.sh | 2 +-
.../tests/file_missing.fail.sh | 2 +-
.../tests/file_modified.fail.sh | 2 +-
7 files changed, 14 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index bdc530f9f5..6ee232892d 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -6,7 +6,7 @@
- name: "copy a file with shell snippet to configure openssl strong entropy"
copy:
- dest: /etc/profile.d/cc-config.sh
+ dest: /etc/profile.d/openssl-rand.sh
content: |+
{{{ openssl_strong_entropy_config_file()|indent(8) }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
index db5c331ce7..d8c9935005 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
@@ -1,5 +1,5 @@
# platform = Red Hat Enterprise Linux 8
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
{{{ openssl_strong_entropy_config_file() }}}
EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
index b441b7ae6e..847754f36d 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
@@ -1,11 +1,8 @@
<def-group>
<definition class="compliance" id="openssl_use_strong_entropy" version="1">
<metadata>
- <title>Configure Openssl to use strong entropy</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 8</platform>
- <platform>multi_platform_fedora</platform>
- </affected>
+ <title>Configure OpenSSL to use strong entropy</title>
+ {{{- oval_affected(products) }}}
<description>OpenSSL should be configured to generate random data with strong entropy.</description>
</metadata>
<criteria>
@@ -22,12 +19,12 @@
</ind:filehash58_test>
<ind:filehash58_object id="object_openssl_strong_entropy" version="1">
- <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
<ind:hash_type>SHA-256</ind:hash_type>
</ind:filehash58_object>
<ind:filehash58_state id="state_openssl_strong_entropy" version="1">
- <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
<ind:hash_type>SHA-256</ind:hash_type>
<ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
</ind:filehash58_state>
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index 3b01da01af..dd82336532 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source'
description: |-
To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
- save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+ save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
<pre>
{{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
- The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
- The referenced script is sourced to every login shell, and it transparently adds an option
- that enforces strong entropy to every <tt>openssl</tt> invocation,
- which makes <tt>openssl</tt> more secure by default.
+ This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
severity: medium
-
identifiers:
cce@rhel8: 82721-2
@@ -27,12 +23,12 @@ references:
ospp: FIA_AFL.1
ocil: |-
- To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
- make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+ To determine whether the <tt>openssl</tt> wrapper is configured correctly,
+ make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
that are included in the rule's description.
ocil_clause: |-
- there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+ there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description
warnings:
- general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
index 0bffab3c81..d7f3ce8c87 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
@@ -2,7 +2,7 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
# provide a default -rand /dev/random option to openssl commands that
# support it
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
index c1d526902c..64a580da91 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
@@ -2,4 +2,4 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-rm -f /etc/profile.d/cc-config.sh
+rm -f /etc/profile.d/openssl-rand.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
index 313d14a37f..2c812e874b 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
@@ -2,4 +2,4 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-echo "wrong data" > /etc/profile.d/cc-config.sh
+echo "wrong data" > /etc/profile.d/openssl-rand.sh
From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 31 Jan 2020 16:34:48 +0100
Subject: [PATCH 6/6] Rule and remediation wording improvements.
---
.../openssl_use_strong_entropy/ansible/shared.yml | 3 +--
.../crypto/openssl_use_strong_entropy/rule.yml | 15 ++++++++++-----
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index 6ee232892d..25afb8e27f 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -4,9 +4,8 @@
# complexity = low
# disruption = low
-- name: "copy a file with shell snippet to configure openssl strong entropy"
+- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy"
copy:
dest: /etc/profile.d/openssl-rand.sh
content: |+
{{{ openssl_strong_entropy_config_file()|indent(8) }}}
-
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index dd82336532..8a958e93b0 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -6,14 +6,18 @@ prodtype: rhel8
title: 'OpenSSL uses strong entropy source'
description: |-
- To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
- save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
+ By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.
+ A way to configure OpenSSL to always use a strong source is to setup a wrapper that
+ defines a shell function that shadows the actual <tt>openssl</tt> binary,
+ and that ensures that the <tt>-rand /dev/random</tt> option is added to every <tt>openssl</tt> invocation.
+
+ To do so, place the following shell snippet exactly as-is to <tt>/etc/profile.d/openssl-rand.sh</tt>:
<pre>
{{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
- This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
+ This rule ensures that <tt>openssl</tt> invocations always uses SP800-90A compliant random number generator as a default behavior.
severity: medium
identifiers:
@@ -23,8 +27,9 @@ references:
ospp: FIA_AFL.1
ocil: |-
- To determine whether the <tt>openssl</tt> wrapper is configured correctly,
- make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
+ To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
+ uses a SP800-90A compliant entropy source,
+ make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contents exactly match those
that are included in the rule's description.
ocil_clause: |-

1951
SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch
View File

File diff suppressed because it is too large Load Diff

855
SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch
View File

@ -1,855 +0,0 @@
From e826795667e319a336ccbfe0919c044766801cb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 17 Jan 2020 10:49:36 +0100
Subject: [PATCH 1/7] Added lineinfile shell assignment support to our macros.
---
shared/macros-ansible.jinja | 20 +++++++++++++++++++
shared/macros-bash.jinja | 26 +++++++++++++++++++++++++
shared/macros-oval.jinja | 39 ++++++++++++++++++++++++++++++++-----
3 files changed, 80 insertions(+), 5 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 3e4a441225..c42a5156ce 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -141,6 +141,26 @@
{{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="^[#\s]*Match") }}}
{{%- endmacro %}}
+{{#
+ High level macro to set a value in a shell-related file that contains var assignments. This
+ takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
+ in the configuration file, and the value to set it to. We specify a case
+ sensitive comparison in the prefix since this is used to deduplicate since
+ We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
+#}}
+{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
+{{% if no_quotes -%}}
+{{%- else -%}}
+{{%- set quotes = "\"'" -%}}
+ {{% if "$" in value %}}
+ {{% set value = '"%s"' % value %}}
+ {{% else %}}
+ {{% set value = "'%s'" % value %}}
+ {{% endif %}}
+{{%- endif -%}}
+{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
+{{%- endmacro %}}
+
{{#
High level macro to set a command in tmux configuration file /etc/tmux.conf.
Parameters:
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 43200bdd8a..6c0bb2facc 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -1,5 +1,31 @@
{{# ##### High level macros ##### #}}
+{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
+{{% if no_quotes -%}}
+ {{% if "$" in value %}}
+ {{% set value = '%s' % value.replace("$", "\\$") %}}
+ {{% endif %}}
+{{%- else -%}}
+ {{% if "$" in value %}}
+ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
+ {{% else %}}
+ {{% set value = "'%s'" % value %}}
+ {{% endif %}}
+{{%- endif -%}}
+{{{ set_config_file(
+ path=path,
+ parameter=parameter,
+ value=value,
+ create=true,
+ insert_after="",
+ insert_before="^Match",
+ insensitive=false,
+ separator="=",
+ separator_regex="=",
+ prefix_regex="^\s*")
+ }}}
+{{%- endmacro -%}}
+
{{%- macro bash_sshd_config_set(parameter, value) -%}}
{{{ set_config_file(
path="/etc/ssh/sshd_config",
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 2049a24d6e..696cf36db0 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -17,8 +17,9 @@
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
- section (String): If set, the parameter will be checked only within the given section defined by [section].
+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
#}}
-{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='') -%}}
+{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
<metadata>
@@ -60,7 +61,7 @@
</definition>
{{{ oval_line_in_file_test(path, parameter) }}}
{{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}}
- {{{ oval_line_in_file_state(value, multi_value) }}}
+ {{{ oval_line_in_file_state(value, multi_value, quotes) }}}
{{%- if missing_parameter_pass %}}
{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}}
{{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}}
@@ -173,12 +174,21 @@
This macro can take two parameters:
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
+ For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
#}}
-{{%- macro oval_line_in_file_state(value='', multi_value='') -%}}
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
+{{%- set regex = value -%}}
+{{%- if quotes != "" %}}
+{{%- if "\\1" in value > 0 %}}
+{{{ raise("The regex for matching '%s' already references capturing groups, which doesn't go well with quoting that adds a capturing group to the beginning." % value) }}}
+{{%- endif %}}
+{{%- set regex = "((?:%s)?)%s\\1" % ("|".join(quotes), regex) -%}}
+{{%- endif %}}
{{%- if multi_value %}}
-{{%- set regex = "^.*\\b"+value+"\\b.*$" -%}}
+{{%- set regex = "^.*\\b"+regex+"\\b.*$" -%}}
{{%- else %}}
-{{%- set regex = "^"+value+"$" -%}}
+{{%- set regex = "^"+regex+"$" -%}}
{{%- endif %}}
<ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
<ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
@@ -232,6 +242,25 @@
{{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
{{%- endmacro %}}
+{{#
+ High level macro to check if a particular shell variable is set.
+ This macro can take five parameters:
+ - path (String): Path to the file.
+ - parameter (String): The shell variable name.
+ - value (String): The variable value WITHOUT QUOTES.
+ - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+ - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+#}}
+{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+{{% if no_quotes -%}}
+{{%- set quotes = "" -%}}
+{{%- else -%}}
+{{%- set quotes = "\"'" -%}}
+{{%- endif -%}}
+{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}}
+{{%- endmacro %}}
+
{{#
High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
This function can take five parameters:
From a7281779e424a0b481e1b08ca01d2ebd1af2e834 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 17 Jan 2020 10:50:16 +0100
Subject: [PATCH 2/7] Added tests for shell lineinfile.
---
tests/test_macros_oval.py | 142 ++++++++++++++++++
.../unit/bash/test_set_config_file.bats.jinja | 56 +++++++
2 files changed, 198 insertions(+)
diff --git a/tests/test_macros_oval.py b/tests/test_macros_oval.py
index 65a88ba7b4..8acae8548b 100755
--- a/tests/test_macros_oval.py
+++ b/tests/test_macros_oval.py
@@ -896,6 +896,148 @@ def main():
"[vehicle]\nspeed =\n100",
"false"
)
+ tester.test(
+ "SHELL commented out",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ "# SHELL=/bin/bash\n",
+ "false"
+ )
+ tester.test(
+ "SHELL correct",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ " SHELL=/bin/bash\n",
+ "true"
+ )
+ tester.test(
+ "SHELL single-quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin"/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ " SHELL='/bin\"/bash'\n",
+ "true"
+ )
+ tester.test(
+ "SHELL double-quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value=' /bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL=" /bin/bash"\n""",
+ "true"
+ )
+ tester.test(
+ "SHELL unwanted double-quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value=' /bin/bash',
+ no_quotes=true,
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL=" /bin/bash"\n""",
+ "false"
+ )
+ tester.test(
+ "SHELL unwanted single-quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin"/bash',
+ no_quotes=true,
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ " SHELL='/bin\"/bash'\n",
+ "false"
+ )
+ tester.test(
+ "SHELL double-quoted spaced",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL= "/bin/bash"\n""",
+ "false"
+ )
+ tester.test(
+ "SHELL bad_var_case",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ Shell="/bin/bash"\n""",
+ "false"
+ )
+ tester.test(
+ "SHELL bad_value_case",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL="/bin/Bash"\n""",
+ "false"
+ )
+ tester.test(
+ "SHELL badly quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL="/bin/bash'\n""",
+ "false"
+ )
tester.finish()
diff --git a/tests/unit/bash/test_set_config_file.bats.jinja b/tests/unit/bash/test_set_config_file.bats.jinja
index 3dc2c721d4..4126d0440e 100644
--- a/tests/unit/bash/test_set_config_file.bats.jinja
+++ b/tests/unit/bash/test_set_config_file.bats.jinja
@@ -126,3 +126,59 @@ function call_set_config_file {
rm "$tmp_file"
}
+
+@test "Basic Bash remediation" {
+ tmp_file="$(mktemp)"
+ printf "%s\n" "something=foo" > "$tmp_file"
+ expected_output="something='va lue'\n"
+
+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue") | indent(4) }}}
+
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+ rm "$tmp_file"
+}
+
+@test "Variable remediation - preserve dollar and use double quotes" {
+ tmp_file="$(mktemp)"
+ printf "%s\n" "something=bar" > "$tmp_file"
+ expected_output='something="$value"'"\n"
+
+ {{{ bash_shell_file_set("$tmp_file", "something", '$value') | indent(4) }}}
+
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+ rm "$tmp_file"
+}
+
+@test "Basic Bash remediation - don't quote" {
+ tmp_file="$(mktemp)"
+ printf "%s\n" "something=foo" > "$tmp_file"
+ expected_output="something=va lue\n"
+
+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue", no_quotes=true) | indent(4) }}}
+
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+ rm "$tmp_file"
+}
+
+@test "Variable remediation - don't quote" {
+ tmp_file="$(mktemp)"
+ printf "%s\n" "something=bar" > "$tmp_file"
+ expected_output='something=$value'"\n"
+
+ {{{ bash_shell_file_set("$tmp_file", "something", '$value', no_quotes=true) | indent(4) }}}
+
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+ rm "$tmp_file"
+}
From 347e7ab345a35fc3045a886d883d8efe7d9820b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 17 Jan 2020 10:51:02 +0100
Subject: [PATCH 3/7] Added the shell lineinfile template.
---
docs/manual/developer_guide.adoc | 21 +++++++++++++++++
.../template_ANSIBLE_shell_lineinfile | 21 +++++++++++++++++
.../templates/template_BASH_shell_lineinfile | 6 +++++
.../templates/template_OVAL_shell_lineinfile | 10 ++++++++
ssg/templates.py | 23 +++++++++++++++++++
5 files changed, 81 insertions(+)
create mode 100644 shared/templates/template_ANSIBLE_shell_lineinfile
create mode 100644 shared/templates/template_BASH_shell_lineinfile
create mode 100644 shared/templates/template_OVAL_shell_lineinfile
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index aa0a7491c3..b5d22213b7 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -1591,6 +1591,27 @@ service_enabled::
** *daemonname* - name of the daemon. This argument is optional. If *daemonname* is not specified it means the name of the daemon is the same as the name of service.
* Languages: Ansible, Bash, OVAL, Puppet
+shell_lineinfile::
+* Checks shell variable assignments in files.
+Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered.
+The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string.
+* Parameters:
+** *path* - What file to check.
+** *parameter* - name of the shell variable, eg. `SHELL`.
+** *value* - value of the SSH configuration option specified by *parameter*, eg. `"/bin/bash"`. Don't pass extra shell quoting - that will be handled on the lower level.
+** *no_quotes* - If set to `"true"`, the assigned value has to be without quotes during the check and remediation doesn't quote assignments either.
+** *missing_parameter_pass* - If set to `"true"` the OVAL check will pass if the parameter is not present in the target file.
+* Languages: Ansible, Bash, OVAL
+* Example:
+A template invocation specifying that parameter `HISTSIZE` should be set to value `500` in `/etc/profile` will produce a check that passes if any of the following lines are present in `/etc/profile`:
+** `HISTSIZE=500`
+** `HISTSIZE="500"`
+** `HISTSIZE='500'`
++
+The remediation would insert one of the quoted forms if the line was not present.
++
+If the `no_quotes` would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present.
+
sshd_lineinfile::
* Checks SSH server configuration items in `/etc/ssh/sshd_config`.
* Parameters:
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
new file mode 100644
index 0000000000..7d0a3ebcbd
--- /dev/null
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
+{{%- if NO_QUOTES -%}}
+ {{% set msg = "Setting unquoted " ~ msg %}}
+{{%- else -%}}
+ {{% set msg = "Setting shell-quoted " ~ msg %}}
+{{%- endif -%}}
+{{{
+ ansible_shell_set(
+ msg=msg,
+ path=PATH,
+ parameter=PARAMETER,
+ value=VALUE,
+ no_quotes=NO_QUOTES
+ )
+}}}
+
diff --git a/shared/templates/template_BASH_shell_lineinfile b/shared/templates/template_BASH_shell_lineinfile
new file mode 100644
index 0000000000..6bf869d62b
--- /dev/null
+++ b/shared/templates/template_BASH_shell_lineinfile
@@ -0,0 +1,6 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ bash_shell_file_set(path=PATH, parameter=PARAMETER, value=VALUE, no_quotes=NO_QUOTES) }}}
diff --git a/shared/templates/template_OVAL_shell_lineinfile b/shared/templates/template_OVAL_shell_lineinfile
new file mode 100644
index 0000000000..fd05b6b568
--- /dev/null
+++ b/shared/templates/template_OVAL_shell_lineinfile
@@ -0,0 +1,10 @@
+{{{
+oval_check_shell_file(
+ path=PATH,
+ parameter=PARAMETER,
+ value=VALUE,
+ no_quotes=NO_QUOTES,
+ missing_parameter_pass=MISSING_PARAMETER_PASS
+)
+}}}
+
diff --git a/ssg/templates.py b/ssg/templates.py
index f4f56c94e6..c2c82e6c29 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -290,6 +290,29 @@ def sshd_lineinfile(data, lang):
return data
+@template(["ansible", "bash", "oval"])
+def shell_lineinfile(data, lang):
+ value = data["value"]
+ if value[0] in ("'", '"') and value[0] == value[1]:
+ msg = (
+ "Value >>{value}<< of shell variable '{varname}' "
+ "has been supplied with quotes, please fix the content - "
+ "shell quoting is handled by the check/remediation code."
+ .format(value=value, varname=data["parameter"]))
+ raise Exception(msg)
+ missing_parameter_pass = data.get("missing_parameter_pass", "false")
+ if missing_parameter_pass == "true":
+ missing_parameter_pass = True
+ elif missing_parameter_pass == "false":
+ missing_parameter_pass = False
+ data["missing_parameter_pass"] = missing_parameter_pass
+ no_quotes = False
+ if data["no_quotes"] == "true":
+ no_quotes = True
+ data["no_quotes"] = no_quotes
+ return data
+
+
@template(["ansible", "bash", "oval"])
def timer_enabled(data, lang):
if "packagename" not in data:
From ac5d1a8ad511e828e652ce1ca58b06c18f8c083b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 21 Jan 2020 14:13:01 +0100
Subject: [PATCH 4/7] Fixed the templated string evaluation.
---
ssg/templates.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssg/templates.py b/ssg/templates.py
index c2c82e6c29..873f543f41 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -293,7 +293,7 @@ def sshd_lineinfile(data, lang):
@template(["ansible", "bash", "oval"])
def shell_lineinfile(data, lang):
value = data["value"]
- if value[0] in ("'", '"') and value[0] == value[1]:
+ if value[0] in ("'", '"') and value[0] == value[-1]:
msg = (
"Value >>{value}<< of shell variable '{varname}' "
"has been supplied with quotes, please fix the content - "
From 8589574707c63eb3ac4c56674326b70dacfd2ee4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 21 Jan 2020 14:46:39 +0100
Subject: [PATCH 5/7] Fixed jinja macros
- Fixed macro descriptions.
- Fixed Ansible insert_after.
---
shared/macros-ansible.jinja | 18 ++++++++----------
shared/macros-bash.jinja | 2 +-
shared/macros-oval.jinja | 7 +++----
3 files changed, 12 insertions(+), 15 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index c42a5156ce..81e18e2d5c 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -143,22 +143,20 @@
{{#
High level macro to set a value in a shell-related file that contains var assignments. This
- takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
- in the configuration file, and the value to set it to. We specify a case
- sensitive comparison in the prefix since this is used to deduplicate since
+ takes these values:
+ - msg (the name for the Ansible task),
+ - path to the file,
+ - parameter to set in the configuration file, and
+ - value to set it to.
We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
#}}
{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
{{% if no_quotes -%}}
{{%- else -%}}
-{{%- set quotes = "\"'" -%}}
- {{% if "$" in value %}}
- {{% set value = '"%s"' % value %}}
- {{% else %}}
- {{% set value = "'%s'" % value %}}
- {{% endif %}}
+{{# Use the double quotes in all cases, as the underlying macro single-quotes the assignment line. #}}
+{{% set value = '"%s"' % value %}}
{{%- endif -%}}
-{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
+{{{ ansible_set_config_file(msg, path, parameter, separator="=", separator_regex="=", value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^# " ~ parameter) }}}
{{%- endmacro %}}
{{#
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 6c0bb2facc..dc7fd25588 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -18,7 +18,7 @@
value=value,
create=true,
insert_after="",
- insert_before="^Match",
+ insert_before="^#\s*" ~ parameter,
insensitive=false,
separator="=",
separator_regex="=",
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 696cf36db0..cfa9de9d2d 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -233,7 +233,7 @@
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
We specify a case insensitive comparison in the prefix because
sshd_config has case-insensitive parameters (but case-sensitive values).
@@ -250,7 +250,7 @@
- value (String): The variable value WITHOUT QUOTES.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
#}}
{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
{{% if no_quotes -%}}
@@ -268,8 +268,7 @@
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
-
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
#}}
{{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
From af0e3ba8ef2d5b53dcffed4432ec0415a81ab2bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 22 Jan 2020 11:37:39 +0100
Subject: [PATCH 6/7] Shell lineinfile macros and templates style fixes.
---
shared/macros-ansible.jinja | 2 +-
shared/macros-oval.jinja | 10 ++++++++--
shared/templates/template_ANSIBLE_shell_lineinfile | 4 ++--
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 81e18e2d5c..f752e7a2be 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -25,7 +25,7 @@
{{%- elif insert_before %}}
insertbefore: '{{{ insert_before }}}'
{{%- endif %}}
- {{% else %}}
+ {{%- else %}}
state: '{{{ state }}}'
{{%- endif %}}
{{%- if validate %}}
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index cfa9de9d2d..5f391efdcb 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -13,13 +13,16 @@
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
- section (String): If set, the parameter will be checked only within the given section defined by [section].
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
#}}
{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
+{{%- if application == '' -%}}
+ {{%- set application = "The respective application or service" -%}}
+{{%- endif -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
<metadata>
@@ -248,6 +251,9 @@
- path (String): Path to the file.
- parameter (String): The shell variable name.
- value (String): The variable value WITHOUT QUOTES.
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
+ - no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes.
+ If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
@@ -342,7 +348,7 @@
- parameter (String): The parameter to be checked in the configuration file.
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
#}}
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
index 7d0a3ebcbd..3e6c5619ea 100644
--- a/shared/templates/template_ANSIBLE_shell_lineinfile
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'" -%}}
{{%- if NO_QUOTES -%}}
{{% set msg = "Setting unquoted " ~ msg %}}
{{%- else -%}}
@@ -15,7 +15,7 @@
path=PATH,
parameter=PARAMETER,
value=VALUE,
- no_quotes=NO_QUOTES
+ no_quotes=NO_QUOTES
)
}}}
From a7779d2fae1086838daa1ded483decd499e8749f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 21 Jan 2020 16:43:23 +0100
Subject: [PATCH 7/7] Add a shell_lineinfile template exemplary rule.
---
.../ssh_server/sshd_use_strong_rng/rule.yml | 47 +++++++++++++++++++
.../tests/bad_config.fail.sh | 3 ++
.../tests/good_config.pass.sh | 3 ++
.../tests/no_config.fail.sh | 3 ++
.../sshd_use_strong_rng/tests/quoted.fail.sh | 3 ++
rhel8/profiles/ospp.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
7 files changed, 60 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
new file mode 100644
index 0000000000..4bfb72702b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+# TODO: The plan is not to need this for RHEL>=8.4
+# TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more
+prodtype: rhel8
+
+title: 'SSH server uses strong entropy to seed'
+
+description: |-
+ To set up SSH server to use entropy from a high-quality source, edit the <tt>/etc/sysconfig/sshd</tt> file.
+ The <tt>SSH_USE_STRONG_RNG</tt> configuration value determines how many bytes of entropy to use, so
+ make sure that the file contains line
+ <pre>SSH_USE_STRONG_RNG=32</pre>
+
+rationale: |-
+ SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default.
+ Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors
+ in encryption algorithms, and high-quality entropy elliminates the possibility that the output of
+ the random number generator used by SSH would be known to potential attackers.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82462-3
+
+references:
+ ospp: FIA_AFL.1
+
+ocil: |-
+ To determine whether the SSH service is configured to use strong entropy seed,
+ run <pre>$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd</pre>
+ If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,
+ then the option is set correctly.
+
+ocil_clause: |-
+ The SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd
+
+warnings:
+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available."
+
+template:
+ name: shell_lineinfile
+ vars:
+ path: '/etc/sysconfig/sshd'
+ parameter: 'SSH_USE_STRONG_RNG'
+ value: '32'
+ no_quotes: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
new file mode 100644
index 0000000000..f4f8c22f64
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG=1' > /etc/sysconfig/sshd
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
new file mode 100644
index 0000000000..70f53ac22b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG=32' > /etc/sysconfig/sshd
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
new file mode 100644
index 0000000000..1e5f0b2998
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+rm -f /etc/sysconfig/sshd
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
new file mode 100644
index 0000000000..a10d24a73b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG="32"' > /etc/sysconfig/sshd
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index f97527a914..63aea526b7 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -58,6 +58,7 @@ selections:
- sshd_set_keepalive
- sshd_enable_warning_banner
- sshd_rekey_limit
+ - sshd_use_strong_rng
# Time Server
- chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index b665fa1cea..1ff291c7df 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-82462-3
CCE-82463-1
CCE-82464-9
CCE-82465-6

22
SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch
View File

@ -1,22 +0,0 @@
From fc99f5b30e1f6e98eac2382949418532fe0a2230 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 3 Feb 2020 10:55:42 +0100
Subject: [PATCH] Update ISACA COBIT URI.
---
shared/transforms/shared_constants.xslt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/transforms/shared_constants.xslt b/shared/transforms/shared_constants.xslt
index e88922d965..0aed1f6337 100644
--- a/shared/transforms/shared_constants.xslt
+++ b/shared/transforms/shared_constants.xslt
@@ -28,7 +28,7 @@
<xsl:variable name="nistcsfuri">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</xsl:variable>
<xsl:variable name="isa-62443-2013uri">https://www.isa.org/templates/one-column.aspx?pageid=111294&amp;productId=116785</xsl:variable>
<xsl:variable name="isa-62443-2009uri">https://www.isa.org/templates/one-column.aspx?pageid=111294&amp;productId=116731</xsl:variable>
-<xsl:variable name="cobit5uri">http://www.isaca.org/COBIT/Pages/default.aspx</xsl:variable>
+<xsl:variable name="cobit5uri">https://www.isaca.org/resources/cobit</xsl:variable>
<xsl:variable name="cis-cscuri">https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf</xsl:variable>
<xsl:variable name="osppuri">https://www.niap-ccevs.org/Profile/PP.cfm</xsl:variable>
<xsl:variable name="pcidssuri">https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf</xsl:variable>

124
SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch
View File

@ -1,124 +0,0 @@
From 95ae3d5ca08f511ef40503f758dfb02feca29252 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 21 Jan 2020 13:42:35 +0100
Subject: [PATCH 1/2] Update configure_crypto_policy test scenarios
Update test scenarios for OSPP profile, it selects 'FIPS:OSPP' crypto policy,
not 'FIPS'.
---
.../tests/dropin_file_and_symlink_exist.fail.sh | 4 ++--
.../tests/file_exists_but_no_file_in_local_d.fail.sh | 2 +-
.../configure_crypto_policy/tests/missing_nss_config.fail.sh | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
index 693cdb03a9..2de1cf4a3b 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
@@ -1,11 +1,11 @@
#!/bin/bash
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
+# profiles = xccdf_org.ssgproject.content_profile_ospp
# using example of opensshserver
DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
-update-crypto-policies --set FIPS
+update-crypto-policies --set "FIPS:OSPP"
echo "" > "$DROPIN_FILE"
echo "CRYPTO_POLICY=" >> "$DROPIN_FILE"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
index 5935a38eac..428b76879a 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
@@ -5,7 +5,7 @@
#using example of openssh server
CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
-update-crypto-policies --set "FIPS"
+update-crypto-policies --set "FIPS:OSPP"
rm -f /etc/crypto-policies/local.d/opensshserver-*.config
rm -f "$CRYPTO_POLICY_FILE"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
index b165006a8d..97bc4b499c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
@@ -2,6 +2,6 @@
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-update-crypto-policies --set "FIPS"
+update-crypto-policies --set "FIPS:OSPP"
rm -f "/etc/crypto-policies/back-ends/nss.config"
From dbbd7ecc294ba86544fb96d5a1b06feba9458a28 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 21 Jan 2020 14:07:50 +0100
Subject: [PATCH 2/2] Remove configure_crypto_policy test scenarios
---
.../tests/dropin_file_and_symlink_exist.fail.sh | 11 -----------
.../file_exists_but_no_file_in_local_d.fail.sh | 13 -------------
.../tests/override_policy.pass.sh | 11 -----------
3 files changed, 35 deletions(-)
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
deleted file mode 100644
index 2de1cf4a3b..0000000000
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-# using example of opensshserver
-DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
-
-update-crypto-policies --set "FIPS:OSPP"
-
-echo "" > "$DROPIN_FILE"
-echo "CRYPTO_POLICY=" >> "$DROPIN_FILE"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
deleted file mode 100644
index 428b76879a..0000000000
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-#using example of openssh server
-CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
-
-update-crypto-policies --set "FIPS:OSPP"
-
-rm -f /etc/crypto-policies/local.d/opensshserver-*.config
-rm -f "$CRYPTO_POLICY_FILE"
-
-echo "pretend that we overide the crrypto policy but no related file is in /etc/crypto-policies/local.d, smart, right?" > "$CRYPTO_POLICY_FILE"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
deleted file mode 100644
index ce37abd7ff..0000000000
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-#using openssh server as example
-CRYPTO_POLICY_OVERRIDE_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
-
-echo "" > "$CRYPTO_POLICY_OVERRIDE_FILE"
-echo "CRYPTO_POLICY=" >> "$CRYPTO_POLICY_OVERRIDE_FILE"
-
-update-crypto-policies --set FIPS:OSPP

273
SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch
View File

@ -1,273 +0,0 @@
From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:16:17 +0100
Subject: [PATCH 1/4] create new rules, add missing reference to older rule
---
.../rule.yml | 26 +++++++++++++++
.../package_openssh-server_installed/rule.yml | 1 +
.../rule.yml | 32 +++++++++++++++++++
.../rule.yml | 29 +++++++++++++++++
5 files changed, 88 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
new file mode 100644
index 0000000000..9b3c55f23b
--- /dev/null
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install OpenSSH client software'
+
+description: |-
+ {{{ describe_package_install(package="openssh-clients") }}}
+
+rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82722-0
+
+references:
+ srg: SRG-OS-000480-GPOS-00227
+ ospp: FIA_UAU.5,FTP_ITC_EXT.1
+
+{{{ complete_ocil_entry_package(package='openssh-clients') }}}
+
+template:
+ name: package_installed
+ vars:
+ pkgname: openssh-clients
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index c18e604a5c..ba013ec509 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -28,6 +28,7 @@ references:
cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 13,14
+ ospp: FIA_UAU.5,FTP_ITC_EXT.1
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
new file mode 100644
index 0000000000..6025f0cd33
--- /dev/null
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install policycoreutils-python-utils package'
+
+description: |-
+ {{{ describe_package_install(package="policycoreutils-python-utils") }}}
+
+rationale: |-
+ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
+ with enhanced security functionality designed to add mandatory access controls to Linux.
+ The Security-enhanced Linux kernel contains new architectural components originally
+ developed to improve security of the Flask operating system. These architectural components
+ provide general support for the enforcement of many kinds of mandatory access control
+ policies, including those based on the concepts of Type Enforcement, Role-based Access
+ Control, and Multi-level Security.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82724-6
+
+references:
+ srg: SRG-OS-000480-GPOS-00227
+
+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}}
+
+template:
+ name: package_installed
+ vars:
+ pkgname: policycoreutils-python-utils
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
new file mode 100644
index 0000000000..c418518e7a
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install crypto-policies package'
+
+description: |-
+ {{{ describe_package_install(package="crypto-policies") }}}
+
+rationale: |-
+ The <tt>crypto-policies</tt> package provides configuration and tools to
+ apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
+
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82723-8
+
+references:
+ ospp: FCS_COP*
+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+
+{{{ complete_ocil_entry_package(package='crypto-policies') }}}
+
+template:
+ name: package_installed
+ vars:
+ pkgname: crypto-policies
From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:18:03 +0100
Subject: [PATCH 2/4] modify ospp profile
---
rhel8/profiles/ospp.profile | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 4d5a9edd8e..c672066050 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -169,17 +169,17 @@ selections:
- package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_iptables_installed
- - package_libcap-ng-utils_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed
- package_rng-tools_installed
- package_sudo_installed
- package_usbguard_installed
- - package_audispd-plugins_installed
- package_scap-security-guide_installed
- package_audit_installed
- - package_gnutls-utils_installed
- - package_nss-tools_installed
+ - package_crypto-policies_installed
+ - package_openssh-server_installed
+ - package_openssh-clients_installed
+ - package_policycoreutils-python-utils_installed
### Remove Prohibited Packages
- package_sendmail_removed
@@ -316,7 +316,7 @@ selections:
## Configure the System to Offload Audit Records to a Log
## Server
## AU-4(1) / FAU_GEN.1.1.c
- - auditd_audispd_syslog_plugin_activated
+ # temporarily dropped
## Set Logon Warning Banner
## AC-8(a) / FMT_MOF_EXT.1
From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:18:52 +0100
Subject: [PATCH 3/4] add rules to rhel8 stig profile
---
rhel8/profiles/stig.profile | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 821cc26914..7eb1869a3c 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -33,6 +33,9 @@ selections:
- encrypt_partitions
- sysctl_net_ipv4_tcp_syncookies
- clean_components_post_updating
+ - package_audispd-plugins_installed
+ - package_libcap-ng-utils_installed
+ - auditd_audispd_syslog_plugin_activated
# Configure TLS for remote logging
- package_rsyslog_installed
From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 17:42:43 +0100
Subject: [PATCH 4/4] rephrase some rationales, fix SFR
---
.../ssh/package_openssh-clients_installed/rule.yml | 4 +++-
.../rule.yml | 9 ++-------
.../crypto/package_crypto-policies_installed/rule.yml | 8 ++++----
3 files changed, 9 insertions(+), 12 deletions(-)
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
index 9b3c55f23b..f5b29d32e8 100644
--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software'
description: |-
{{{ describe_package_install(package="openssh-clients") }}}
-rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
+rationale: |-
+ This package includes utilities to make encrypted connections and transfer
+ files securely to SSH servers.
severity: medium
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
index 6025f0cd33..7ae7461077 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -8,13 +8,8 @@ description: |-
{{{ describe_package_install(package="policycoreutils-python-utils") }}}
rationale: |-
- Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
- with enhanced security functionality designed to add mandatory access controls to Linux.
- The Security-enhanced Linux kernel contains new architectural components originally
- developed to improve security of the Flask operating system. These architectural components
- provide general support for the enforcement of many kinds of mandatory access control
- policies, including those based on the concepts of Type Enforcement, Role-based Access
- Control, and Multi-level Security.
+ This package is required to operate and manage an SELinux environment and its policies.
+ It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.
severity: medium
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
index c418518e7a..bb07f9d617 100644
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -8,9 +8,9 @@ description: |-
{{{ describe_package_install(package="crypto-policies") }}}
rationale: |-
- The <tt>crypto-policies</tt> package provides configuration and tools to
- apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
-
+ Centralized cryptographic policies simplify applying secure ciphers across an operating system and
+ the applications that run on that operating system. Use of weak or untested encryption algorithms
+ undermines the purposes of utilizing encryption to protect data.
severity: medium
@@ -18,7 +18,7 @@ identifiers:
cce@rhel8: 82723-8
references:
- ospp: FCS_COP*
+ ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4)
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
{{{ complete_ocil_entry_package(package='crypto-policies') }}}

71
SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch Normal file
View File

@ -0,0 +1,71 @@
From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 08:17:20 +0200
Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
---
.../ansible/shared.yml | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
new file mode 100644
index 0000000000..5d76b3c073
--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
@@ -0,0 +1,33 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: Configure daily log rotation in /etc/logrotate.conf
+ lineinfile:
+ create: yes
+ dest: "/etc/logrotate.conf"
+ regexp: "^daily$"
+ line: "daily"
+
+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
+ lineinfile:
+ create: no
+ dest: "/etc/logrotate.conf"
+ regexp: "^(weekly|monthly|yearly)$"
+ state: absent
+
+- name: Configure cron.daily if not already
+ block:
+ - name: Add shebang
+ lineinfile:
+ path: "/etc/cron.daily/logrotate"
+ line: "#!/bin/sh"
+ insertbefore: BOF
+ create: yes
+ - name: Add logrotate call
+ lineinfile:
+ path: "/etc/cron.daily/logrotate"
+ line: '/usr/sbin/logrotate /etc/logrotate.conf'
+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 14:48:15 +0200
Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
Test scenario when monthly is there, but weekly is not.
---
.../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
new file mode 100644
index 0000000000..b10362989b
--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed -i "s/weekly/daily/g" /etc/logrotate.conf
+echo "monthly" >> /etc/logrotate.conf

115
SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch Normal file
View File

@ -0,0 +1,115 @@
From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 May 2020 20:49:08 +0200
Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
---
.../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
2 files changed, 22 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..a816eea390
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
+ else
+ echo "MaxSessions 4" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..b36125f5bb
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
+ else
+ echo "MaxSessions 10" >> $SSHD_CONFIG
+fi
From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 May 2020 20:53:50 +0200
Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
---
.../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
.../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
.../tests/correct_value.pass.sh | 2 +-
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
4 files changed, 22 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
new file mode 100644
index 0000000000..a7e171dfe9
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+- (xccdf-var var_sshd_max_sessions)
+
+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
new file mode 100644
index 0000000000..fc0a1d8b42
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_sshd_max_sessions
+
+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
index a816eea390..4cc6d65988 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q "^MaxSessions" $SSHD_CONFIG; then
sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
else
- echo "MaxSessions 4" >> $SSHD_CONFIG
+ echo "MaxSessions 4" >> $SSHD_CONFIG
fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
index b36125f5bb..bc0c47842a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q "^MaxSessions" $SSHD_CONFIG; then
sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
else
- echo "MaxSessions 10" >> $SSHD_CONFIG
+ echo "MaxSessions 10" >> $SSHD_CONFIG
fi

147
SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch Normal file
View File

@ -0,0 +1,147 @@
From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 11:52:35 +0200
Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
Very likey a copy-pasta error from bash remediation for
audit_rules_immutable
---
.../audit_rules_system_shutdown/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
index 1c9748ce9b..b56513cdcd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
@@ -8,7 +8,7 @@
# files to check if '-f .*' setting is present in that '*.rules' file already.
# If found, delete such occurrence since auditctl(8) manual page instructs the
# '-f 2' rule should be placed as the last rule in the configuration
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
# Append '-f 2' requirement at the end of both:
# * /etc/audit/audit.rules file (for auditctl case)
From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 12:12:21 +0200
Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
Along with very basic test scenarios
---
.../ansible/shared.yml | 28 +++++++++++++++++++
.../tests/augen_correct.pass.sh | 4 +++
.../tests/augen_e_2_immutable.fail.sh | 3 ++
3 files changed, 35 insertions(+)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
new file mode 100644
index 0000000000..b9e8fa87fa
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
@@ -0,0 +1,28 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Collect all files from /etc/audit/rules.d with .rules extension
+ find:
+ paths: "/etc/audit/rules.d/"
+ patterns: "*.rules"
+ register: find_rules_d
+
+- name: Remove the -f option from all Audit config files
+ lineinfile:
+ path: "{{ item }}"
+ regexp: '^\s*(?:-f)\s+.*$'
+ state: absent
+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
+
+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+ lineinfile:
+ path: "{{ item }}"
+ create: True
+ line: "-f 2"
+ loop:
+ - "/etc/audit/audit.rules"
+ - "/etc/audit/rules.d/immutable.rules"
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
new file mode 100644
index 0000000000..0587b937e0
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
+echo "-f 2" >> /etc/audit/rules.d/immutable.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
new file mode 100644
index 0000000000..fa5b7231df
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 14:06:08 +0200
Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
---
.../audit_rules_immutable/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
index 5ac7b3dabb..1cafb744cc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
@@ -17,7 +17,7 @@
state: absent
loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
lineinfile:
path: "{{ item }}"
create: True
From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 19 May 2020 11:02:56 +0200
Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
---
.../audit_rules_system_shutdown/bash/shared.sh | 8 --------
1 file changed, 8 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
index b56513cdcd..a349bb1ca1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
@@ -4,16 +4,8 @@
#
# /etc/audit/audit.rules, (for auditctl case)
# /etc/audit/rules.d/*.rules (for augenrules case)
-#
-# files to check if '-f .*' setting is present in that '*.rules' file already.
-# If found, delete such occurrence since auditctl(8) manual page instructs the
-# '-f 2' rule should be placed as the last rule in the configuration
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
-# Append '-f 2' requirement at the end of both:
-# * /etc/audit/audit.rules file (for auditctl case)
-# * /etc/audit/rules.d/immutable.rules (for augenrules case)
-
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
do
echo '' >> $AUDIT_FILE

49
SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch Normal file
View File

@ -0,0 +1,49 @@
From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 21 May 2020 18:16:43 +0200
Subject: [PATCH] Attribute content to CIS
And update the description a bit.
---
rhel7/profiles/cis.profile | 8 +++++---
rhel8/profiles/cis.profile | 8 +++++---
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 0826a49547..829c388133 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -3,9 +3,11 @@ documentation_complete: true
title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
description: |-
- This baseline aligns to the Center for Internet Security
- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
- 12-27-2017.
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
selections:
# Necessary for dconf rules
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
index f332ee5462..868b9f21a6 100644
--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
@@ -3,9 +3,11 @@ documentation_complete: true
title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
description: |-
- This baseline aligns to the Center for Internet Security
- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
- 09-30-2019.
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
selections:
# Necessary for dconf rules

274
SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch Normal file
View File

@ -0,0 +1,274 @@
From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 25 May 2020 12:17:48 +0200
Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
---
rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
2 files changed, 250 insertions(+)
create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
new file mode 100644
index 0000000000..14c82c4231
--- /dev/null
+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
+# Version: 0.0.1
+# Date: 2020-05-25
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow enable shadowed passwords by default
+# --passalgo hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see command %addon org_fedora_oscap in
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
new file mode 100644
index 0000000000..861db36f18
--- /dev/null
+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2020-05-25
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

76
SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch Normal file
View File

@ -0,0 +1,76 @@
From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 22 May 2020 14:12:18 +0200
Subject: [PATCH] Add missing CCEs for RHEL8
---
.../password_storage/no_netrc_files/rule.yml | 1 +
.../accounts_user_interactive_home_directory_exists/rule.yml | 1 +
.../file_groupownership_home_directories/rule.yml | 1 +
shared/references/cce-redhat-avail.txt | 3 ---
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
index 8547893201..1bd1f5742e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel6: 27225-2
cce@rhel7: 80211-6
+ cce@rhel8: 83444-0
cce@ocp4: 82667-7
references:
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
index bedf3a0b19..e69bc9d736 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: 80529-1
+ cce@rhel8: 83424-2
references:
stigid@ol7: "020620"
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 1c5ac8d099..f931f6d160 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: 80532-5
+ cce@rhel8: 83434-1
references:
stigid@ol7: "020650"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 2f0d2a526b..45d03a2c1d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -95,7 +95,6 @@ CCE-83411-9
CCE-83421-8
CCE-83422-6
CCE-83423-4
-CCE-83424-2
CCE-83425-9
CCE-83426-7
CCE-83427-5
@@ -105,7 +104,6 @@ CCE-83430-9
CCE-83431-7
CCE-83432-5
CCE-83433-3
-CCE-83434-1
CCE-83435-8
CCE-83436-6
CCE-83437-4
@@ -115,7 +113,6 @@ CCE-83440-8
CCE-83441-6
CCE-83442-4
CCE-83443-2
-CCE-83444-0
CCE-83445-7
CCE-83446-5
CCE-83447-3

103
SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch Normal file
View File

@ -0,0 +1,103 @@
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 13:30:24 +0200
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
---
.../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
index e9a29a24d5..6fbb7c72a5 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
@@ -3,13 +3,9 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: Test for existence of /etc/securetty
- stat:
- path: /etc/securetty
- register: securetty_empty
+
- name: "Direct root Logins Not Allowed"
copy:
dest: /etc/securetty
content: ""
- when: securetty_empty.stat.size > 1
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:21:38 +0200
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
---
shared/templates/template_ANSIBLE_sebool | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
index 29f37081be..38d7c7c350 100644
--- a/shared/templates/template_ANSIBLE_sebool
+++ b/shared/templates/template_ANSIBLE_sebool
@@ -13,11 +13,17 @@
{{% else %}}
- (xccdf-var var_{{{ SEBOOLID }}})
+{{% if product == "rhel8" %}}
+- name: Ensure python3-libsemanage installed
+ package:
+ name: python3-libsemanage
+ state: present
+{{% else %}}
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
-
+{{% endif %}}
- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
seboolean:
name: {{{ SEBOOLID }}}
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:57:05 +0200
Subject: [PATCH 3/3] add tests for no_direct_root_logins
---
.../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
.../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
.../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
3 files changed, 9 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
new file mode 100644
index 0000000000..17251f6a98
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo > /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
new file mode 100644
index 0000000000..c764814b26
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
new file mode 100644
index 0000000000..43ac341e87
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "something" > /etc/securetty

308
SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch Normal file
View File

@ -0,0 +1,308 @@
From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 26 May 2020 17:49:21 +0200
Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
Affected rules:
- selinux_policytype
- selinux_state
---
.../selinux/selinux_policytype/ansible/shared.yml | 9 ++-------
.../selinux/selinux_policytype/bash/shared.sh | 5 +++--
.../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++
.../selinux/selinux_state/ansible/shared.yml | 9 ++-------
.../system/selinux/selinux_state/bash/shared.sh | 5 +++--
.../selinux_state/tests/selinux_missing.fail.sh | 5 +++++
.../tests/selinux_permissive.fail.sh | 10 ++++++++++
shared/macros-ansible.jinja | 11 +++++++++++
shared/macros-bash.jinja | 15 +++++++++++++++
9 files changed, 61 insertions(+), 18 deletions(-)
create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 5c70cc9f7f..9f8cf66dfb 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -3,11 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_selinux_policy_name)
-- name: "{{{ rule_title }}}"
- lineinfile:
- path: /etc/sysconfig/selinux
- regexp: '^SELINUXTYPE='
- line: "SELINUXTYPE={{ var_selinux_policy_name }}"
- create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index d0fbbf4446..2b5ce31b12 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,7 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-#
+
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
+
populate var_selinux_policy_name
-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
new file mode 100644
index 0000000000..1a6eb94953
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
+else
+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
+fi
diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
index b465ac6729..1c1560a86c 100644
--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
@@ -3,11 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_selinux_state)
-- name: "{{{ rule_title }}}"
- lineinfile:
- path: /etc/sysconfig/selinux
- regexp: '^SELINUX='
- line: "SELINUX={{ var_selinux_state }}"
- create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index 58193b5504..a402a861d7 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,10 +1,11 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
-#
+
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
+
populate var_selinux_state
-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
fixfiles onboot
fixfiles -f relabel
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
new file mode 100644
index 0000000000..180dd80791
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
new file mode 100644
index 0000000000..3db1e56b5f
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
+else
+ echo 'SELINUX=permissive' >> $SELINUX_FILE
+fi
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 6798a25d1f..01d3155b37 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
{{%- endmacro %}}
+{{#
+ High level macro to set a parameter in /etc/selinux/config.
+ Parameters:
+ - msg: the name for the Ansible task
+ - parameter: parameter to be set in the configuration file
+ - value: value of the parameter
+#}}
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
+
{{#
Generates an Ansible task that puts 'contents' into a file at 'filepath'
Parameters:
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 3a94fe5dd8..2531d1c52d 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -86,6 +86,21 @@ populate {{{ name }}}
}}}
{{%- endmacro -%}}
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
+{{{ set_config_file(
+ path="/etc/selinux/config",
+ parameter=parameter,
+ value=value,
+ create=true,
+ insert_after="",
+ insert_before="",
+ insensitive=true,
+ separator="=",
+ separator_regex="\s*=\s*",
+ prefix_regex="^\s*")
+ }}}
+{{%- endmacro -%}}
+
{{#
# Install a package
# Uses the right command based on pkg_manger proprerty defined in product.yaml.
From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 27 May 2020 18:48:57 +0200
Subject: [PATCH 2/2] Remediation requires reboot.
Update OVAL check to disallow spaces.
Removed selinuxtype_minimum test scenario since breaks the system.
---
.../selinux/selinux_policytype/ansible/shared.yml | 2 +-
.../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++
.../system/selinux/selinux_policytype/oval/shared.xml | 2 +-
.../tests/selinuxtype_minimum.fail.sh | 10 ----------
.../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++
.../guide/system/selinux/selinux_state/oval/shared.xml | 2 +-
shared/macros-ansible.jinja | 2 +-
shared/macros-bash.jinja | 4 ++--
8 files changed, 14 insertions(+), 16 deletions(-)
delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 9f8cf66dfb..73e6ec7cd4 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -1,5 +1,5 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
+# reboot = true
# strategy = restrict
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index 2b5ce31b12..b4f79c97f9 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,4 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
index f1840a1290..3d69fff07f 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
@@ -27,7 +27,7 @@
<ind:textfilecontent54_object id="obj_selinux_policy" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
+ <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
deleted file mode 100644
index 1a6eb94953..0000000000
--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
-
-SELINUX_FILE='/etc/selinux/config'
-
-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
-else
- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
-fi
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index a402a861d7..645a7acab4 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,4 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
index c0881696e1..8c328060af 100644
--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
@@ -18,7 +18,7 @@
<ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 01d3155b37..580a0b948e 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
- value: value of the parameter
#}}
{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
{{%- endmacro %}}
{{#
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 2531d1c52d..8abcc914d3 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -96,8 +96,8 @@ populate {{{ name }}}
insert_before="",
insensitive=true,
separator="=",
- separator_regex="\s*=\s*",
- prefix_regex="^\s*")
+ separator_regex="=",
+ prefix_regex="^")
}}}
{{%- endmacro -%}}

40
SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch Normal file
View File

@ -0,0 +1,40 @@
From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 23:36:18 +0200
Subject: [PATCH] Ansible mount_option: split mount and option task
Separate task that adds mount options mounts the mountpoint into two tasks.
Conditioning the "mount" task on the absence of the target mount option
caused the task to always be skipped when mount option was alredy present,
and could result in the mount point not being mounted.
---
shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
index 95bede25f9..a0cf8d6b7a 100644
--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
@@ -26,14 +26,19 @@
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
+ set_fact:
+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
+ when:
+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
+
+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
mount:
path: "{{{ MOUNTPOINT }}}"
src: "{{ mount_info.source }}"
- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
+ opts: "{{ mount_info.options }}"
state: "mounted"
fstype: "{{ mount_info.fstype }}"
when:
- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
- device_name.stdout is defined
- (device_name.stdout | length > 0)

33
SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch Normal file
View File

@ -0,0 +1,33 @@
From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 14 May 2020 16:46:07 +0200
Subject: [PATCH] reorder groups because of permissions verification
---
ssg/build_yaml.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index e3e138283c..c9f3179c08 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -700,6 +700,11 @@ def to_xml_element(self):
# audit_rules_privileged_commands, othervise the rule
# does not catch newly installed screeen binary during remediation
# and report fail
+ # the software group should come before the
+ # bootloader-grub2 group because of conflict between
+ # rules rpm_verify_permissions and file_permissions_grub2_cfg
+ # specific rules concerning permissions should
+ # be applied after the general rpm_verify_permissions
# The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
# the firewalld_activation must come before ruleset_modifications, othervise
# remediations for ruleset_modifications won't work
@@ -707,6 +712,7 @@ def to_xml_element(self):
# otherwise the remediation prints error although it is successful
priority_order = [
"accounts", "auditing",
+ "software", "bootloader-grub2",
"fips", "crypto",
"firewalld_activation", "ruleset_modifications",
"disabling_ipv6", "configuring_ipv6"

171
SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch Normal file
View File

@ -0,0 +1,171 @@
From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 May 2020 01:20:53 +0200
Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
All paths in /etc/rsyslog.conf were taken as log files, but paths
in lines containing "include" or "$IncludeConfig" are config files.
Let's not take them in as log files
---
.../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a78cd69df2..c74f3da3f5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -87,8 +87,18 @@
-->
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their permissions don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 May 2020 00:16:37 +0200
Subject: [PATCH 2/4] Fix permissions of files referenced by include()
The remediation script also needs to parse the files included via
"include()".
The awk also takes into consideration the multiline aspect.
---
.../rsyslog_files_permissions/bash/shared.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 6cbf0c6a24..dca35301e7 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 15:53:58 +0200
Subject: [PATCH 3/4] Make regex for include file more strict
For some reason gensub in awk doesn't support non capturing group.
So the group with OR is capturing and we substitute everyting with the
second group, witch matches the file path.
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index dca35301e7..99d2d0e794 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 16:55:02 +0200
Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
These three files basically work the same way
---
.../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
.../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
.../rsyslog_files_permissions/oval/shared.xml | 4 ++--
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
index 5828f25321..9941e2b94f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
@@ -86,8 +86,18 @@
-->
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their groupownership don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
index 3c46eab6d6..29dd1a989e 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
@@ -83,8 +83,18 @@
-->
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_owner_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their owner don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index c74f3da3f5..da37a15b8c 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -87,10 +87,10 @@
-->
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- <filter action="exclude">state_ignore_include_paths</filter>
+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
<!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
include() or $IncludeConfig statements.
These paths are conf files, not log files. Their permissions don't need to be as

23
SOURCES/scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch Normal file
View File

@ -0,0 +1,23 @@
From 602e57d4c643be443110bbc772e6e5546b1a3cd3 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 26 Jun 2020 16:56:52 +0200
Subject: [PATCH] Update RHEL7 documentation link for
grub2_uefi_admin_username.
---
.../system/bootloader-grub2/grub2_uefi_admin_username/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
index 1926837db7..0c69e59553 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
@@ -28,7 +28,7 @@ rationale: |-
For more information on how to configure the grub2 superuser account and password,
please refer to
<ul>
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
+ <li>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-working_with_the_grub_2_boot_loader#sec-Protecting_GRUB_2_with_a_Password") }}}</li>.
</ul>
{{% endif %}}

375
SOURCES/scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch Normal file
View File

@ -0,0 +1,375 @@
From 62bf1be5a2f2789196a9b81ca7cd246d148dfb5b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 10:54:51 +0200
Subject: [PATCH 1/3] no_shelllogin_for_systemaccounts: add tests
---
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 4 ++++
.../tests/no_sys_uids.pass.sh | 7 +++++++
.../tests/only_system_users.pass.sh | 6 ++++++
.../tests/system_user_with_shell.fail.sh | 6 ++++++
4 files changed, 23 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
new file mode 100644
index 0000000000..6d48ad78fd
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
@@ -0,0 +1,4 @@
+# remediation = none
+
+#!/bin/bash
+true
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
new file mode 100644
index 0000000000..bc4f9cee8c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
@@ -0,0 +1,7 @@
+# remediation = none
+
+#!/bin/bash
+
+# Force unset of SYS_UID values
+sed -i '/^SYS_UID_MIN/d' /etc/login.defs
+sed -i '/^SYS_UID_MAX/d' /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
new file mode 100644
index 0000000000..0cdb820bbb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
@@ -0,0 +1,6 @@
+# remediation = none
+
+#!/bin/bash
+
+# remove any non-system user
+sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
new file mode 100644
index 0000000000..7639a8809d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
@@ -0,0 +1,6 @@
+# remediation = none
+
+#!/bin/bash
+
+# change system user "mail" shell to bash
+usermod --shell /bin/bash mail
From 403cf63228a838bb80e09d8a6750bc5ee8597ce4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 11:27:48 +0200
Subject: [PATCH 2/3] no_shelllogin_for_systemaccounts: simplify check for
range of UIDs
There is no need to make calculations on top of the UIDs, we can compare
the collected UIDs with shell againt the states that define the valid range.
Avoiding the calculations has the added benefit of not using/referencing
a variable that can be empty (when no user has shell, except root).
---
.../oval/shared.xml | 198 +++---------------
1 file changed, 33 insertions(+), 165 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
index 7e68441867..d0e836515b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
@@ -79,13 +79,6 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <!-- Extract UIDs from /etc/passwd entries into OVAL variable -->
- <local_variable id="variable_sys_uids_etc_passwd" datatype="int"
- comment="UIDs retrieved from /etc/passwd" version="1">
- <object_component item_field="subexpression"
- object_ref="object_etc_passwd_entries" />
- </local_variable>
-
<!-- FIRST CRITERION -->
<!-- If both SYS_UID_MIN and SYS_UID_MAX aren't defined in /etc/login.defs
perform the check that all /etc/passwd entries having shell defined have
@@ -100,63 +93,23 @@
</regex_capture>
</local_variable>
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <0, UID_MIN - 1> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold (x - 0) * (x - (UID_MIN -1)) range -->
- <local_variable id="variable_default_range_quad_expr" datatype="int"
- comment="Construct (x - 0) * (x - (UID_MIN - 1)) expression"
- version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <!-- (x - 0) = x => use just "x" value -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get (x - (UID_MIN -1)) result -->
- <arithmetic arithmetic_operation="add">
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get -1 * (UID_MIN - 1) result -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <!-- Get (UID_MIN -1) result -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_uid_min_value" />
- <literal_component datatype="int">-1</literal_component>
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_default_uid_range" version="1">
- <ind:var_ref>variable_default_range_quad_expr</ind:var_ref>
- </ind:variable_object>
-
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_default_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
-
<!-- Perform the default <0, UID_MIN - 1> UID range test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <0, UID_MIN -1> range -->
- <ind:variable_test id="test_shell_defined_default_uid_range" check="all"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_default_uid_range" check="all"
check_existence="all_exist" comment="&lt;0, UID_MIN - 1&gt; system UIDs having shell set"
version="1">
- <ind:object object_ref="object_shell_defined_default_uid_range" />
- <ind:state state_ref="state_shell_defined_default_uid_range" />
- </ind:variable_test>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_zero" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_uid_min" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_state id="state_uid_less_than_zero" version="1">
+ <ind:subexpression datatype="int" operation="less than">0</ind:subexpression>
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_uid_min_value" />
+ </ind:textfilecontent54_state>
<!-- Test if SYS_UID_MIN not defined in /etc/login.defs -->
<ind:textfilecontent54_test id="test_sys_uid_min_not_defined"
@@ -200,121 +153,36 @@
</regex_capture>
</local_variable>
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <0, SYS_UID_MIN> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold UIDs for reserved system accounts, thus
- UIDs from the range <0, SYS_UID_MIN> -->
- <local_variable id="variable_reserved_range_quad_expr" datatype="int"
- comment="Construct (x - 0) * (x - SYS_UID_MIN) expression"
- version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <!-- (x - 0) = x => use just "x" value -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Construct (x - SYS_UID_MIN) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MIN -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_min_value" />
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_reserved_uid_range" version="1">
- <ind:var_ref>variable_reserved_range_quad_expr</ind:var_ref>
- </ind:variable_object>
-
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_reserved_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
-
<!-- Perform the reserved UID range <0, SYS_UID_MIN> test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <0, SYS_UID_MIN> range -->
- <ind:variable_test id="test_shell_defined_reserved_uid_range" check="all"
- check_existence="all_exist" comment="&lt;0, SYS_UID_MIN&gt; system UIDs having shell set"
- version="1">
- <ind:object object_ref="object_shell_defined_reserved_uid_range" />
- <ind:state state_ref="state_shell_defined_reserved_uid_range" />
- </ind:variable_test>
-
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <SYS_UID_MIN, SYS_UID_MAX> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold UIDs for dynamically allocated system accounts,
- thus UIDs from the range <SYS_UID_MIN, SYS_UID_MAX> -->
- <local_variable id="variable_dynalloc_range_quad_expr" datatype="int"
- comment="Construct (x - SYS_UID_MIN) * (x - SYS_UID_MAX) expression"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_reserved_uid_range" check="all"
+ check_existence="any_exist" comment="&lt;0, SYS_UID_MIN&gt; system UIDs having shell set"
version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Construct (x - SYS_UID_MIN) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MIN -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_min_value" />
- </arithmetic>
- </arithmetic>
- <!-- Construct (x - SYS_UID_MAX) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MAX -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_max_value" />
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_dynalloc_uid_range" version="1">
- <ind:var_ref>variable_dynalloc_range_quad_expr</ind:var_ref>
- </ind:variable_object>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_zero" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_min" />
+ </ind:textfilecontent54_test>
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_dynalloc_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_min_value" />
+ </ind:textfilecontent54_state>
<!-- Perform the dynamically allocated UID range <SYS_UID_MIN, SYS_UID_MAX> test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <SYS_UID_MIN, SYS_UID_MAX> range -->
- <ind:variable_test id="test_shell_defined_dynalloc_uid_range" check="all"
- check_existence="all_exist" comment="&lt;SYS_UID_MIN, SYS_UID_MAX&gt; system UIDS having shell set"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_dynalloc_uid_range" check="all"
+ check_existence="any_exist" comment="&lt;SYS_UID_MIN, SYS_UID_MAX&gt; system UIDS having shell set"
version="1">
- <ind:object object_ref="object_shell_defined_dynalloc_uid_range" />
- <ind:state state_ref="state_shell_defined_dynalloc_uid_range" />
- </ind:variable_test>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_sys_uid_min" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_max" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_state id="state_uid_less_than_sys_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="less than" var_ref="variable_sys_uid_min_value" />
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_max" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_max_value" />
+ </ind:textfilecontent54_state>
</def-group>
From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 4 Jun 2020 14:04:37 +0200
Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs
---
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +-
.../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +--
.../tests/only_system_users.pass.sh | 3 +--
.../tests/system_user_with_shell.fail.sh | 3 +--
4 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
index 6d48ad78fd..833831f79d 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
@@ -1,4 +1,4 @@
+#!/bin/bash
# remediation = none
-#!/bin/bash
true
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
index bc4f9cee8c..6769895eb2 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# Force unset of SYS_UID values
sed -i '/^SYS_UID_MIN/d' /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
index 0cdb820bbb..06edf671ce 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# remove any non-system user
sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
index 7639a8809d..10312593b8 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# change system user "mail" shell to bash
usermod --shell /bin/bash mail

163
SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch Normal file
View File

@ -0,0 +1,163 @@
From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Jun 2020 09:53:38 +0200
Subject: [PATCH 1/3] fixed description, oval, ansible, bash
---
.../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
.../configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
.../configure_openssl_crypto_policy/oval/shared.xml | 2 +-
.../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++-----
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index e6318f221c..98fe134aca 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -15,7 +15,7 @@
lineinfile:
create: yes
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
- line: ".include /etc/crypto-policies/back-ends/openssl.config"
+ line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
path: /etc/pki/tls/openssl.cnf
when:
- test_crypto_policy_group.stdout is defined
@@ -24,7 +24,7 @@
- name: "Add crypto_policy group and set include openssl.config"
lineinfile:
create: yes
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config"
+ line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
path: /etc/pki/tls/openssl.cnf
when:
- test_crypto_policy_group.stdout is defined
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
index 0b3cbf3b46..a0b30cce96 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
@@ -2,8 +2,8 @@
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config'
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$'
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
function remediate_openssl_crypto_policy() {
CONFIG_FILE="/etc/pki/tls/openssl.cnf"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
index a9b3f7b6e9..2019769736 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
@@ -20,7 +20,7 @@
<ind:textfilecontent54_object id="object_configure_openssl_crypto_policy"
version="1">
<ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>
- <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
index 8c015bb3b2..1a66570a8c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
@@ -11,7 +11,7 @@ description: |-
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under <tt>/etc/pki/tls/openssl.cnf</tt>.
This file has the <tt>ini</tt> format, and it enables crypto policy support
- if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/openssl.config</tt> directive.
+ if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/opensslcnf.config</tt> directive.
rationale: |-
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
@@ -29,11 +29,11 @@ references:
ocil_clause: |-
the OpenSSL config file doesn't contain the whole section,
- or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive
+ or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive
ocil: |-
- To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file
+ To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
<pre>/etc/pki/tls/openssl.cnf</pre> contains the <pre>[ crypto_policy ]</pre> section with the
- <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive:
- <pre>grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf</pre>.
+ <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive:
+ <pre>grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf</pre>.
From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Jun 2020 09:54:09 +0200
Subject: [PATCH 2/3] updated tests
---
.../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +-
.../tests/wrong.fail.sh | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
index 5b8334735e..c56916883e 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
@@ -6,5 +6,5 @@
create_config_file_with "[ crypto_policy ]
-.include /etc/crypto-policies/back-ends/openssl.config
+.include /etc/crypto-policies/back-ends/opensslcnf.config
"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
new file mode 100644
index 0000000000..5b8334735e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
+
+. common.sh
+
+create_config_file_with "[ crypto_policy ]
+
+.include /etc/crypto-policies/back-ends/openssl.config
+"
From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Jun 2020 17:32:00 +0200
Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config
file.
---
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index 98fe134aca..986543c10f 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -11,7 +11,7 @@
changed_when: False
check_mode: no
-- name: "Add .include for openssl.config to crypto_policy section"
+- name: "Add .include for opensslcnf.config to crypto_policy section"
lineinfile:
create: yes
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
@@ -21,7 +21,7 @@
- test_crypto_policy_group.stdout is defined
- test_crypto_policy_group.stdout | length > 0
-- name: "Add crypto_policy group and set include openssl.config"
+- name: "Add crypto_policy group and set include opensslcnf.config"
lineinfile:
create: yes
line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"

383
SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch Normal file
View File

@ -0,0 +1,383 @@
From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 19 May 2020 15:49:34 +0200
Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.
Introduce the rekey_limit_size and rekey_limit_time XCCDF values
to make the rule more flexible.
---
.../sshd_rekey_limit/bash/shared.sh | 9 ++++
.../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +-----
.../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++
.../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++
.../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++
.../sshd_rekey_limit/tests/ok.pass.sh | 4 ++
.../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++
.../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++
rhel8/profiles/ospp.profile | 2 +
10 files changed, 99 insertions(+), 10 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
new file mode 100644
index 0000000000..2620c2d49e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_rekey_limit_size
+populate var_rekey_limit_time
+
+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
new file mode 100644
index 0000000000..57aa090948
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -0,0 +1,43 @@
+{{% set filepath = "/etc/ssh/sshd_config" %}}
+{{% set parameter = "RekeyLimit" %}}
+
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ <metadata>
+ <title>{{{ rule_title }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
+ </metadata>
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ {{{- application_not_required_or_requirement_unset() }}}
+ {{{- application_required_or_requirement_unset() }}}
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
+ <ind:object object_ref="obj_sshd_rekey_limit"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
+ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+ <variable_component var_ref="var_rekey_limit_size"/>
+ <literal_component>[\s]+</literal_component>
+ <variable_component var_ref="var_rekey_limit_time"/>
+ <literal_component>[\s]*$</literal_component>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
+</def-group>
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index e11678faa0..4936a381f5 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -7,7 +7,7 @@ description: |-
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
- <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+ <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
@@ -30,12 +30,4 @@ ocil: |-
following command:
<pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
If configured properly, output should be
- <pre>RekeyLimit 512M 1h</pre>
-
-template:
- name: sshd_lineinfile
- vars:
- missing_parameter_pass: 'false'
- parameter: RekeyLimit
- rule_id: sshd_rekey_limit
- value: 512M 1h
+ <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
new file mode 100644
index 0000000000..2ac0bbf350
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
new file mode 100644
index 0000000000..fec859fe05
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
new file mode 100644
index 0000000000..a6cd10163f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
new file mode 100644
index 0000000000..a6a2ba7adf
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
new file mode 100644
index 0000000000..16dc376508
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ sshd_default: "default"
+ default: "512M"
+ "512M": "512M"
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
new file mode 100644
index 0000000000..8801fbbf6f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ sshd_default: "none"
+ default: "1h"
+ "1hour": "1h"
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index c672066050..a5223a187f 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -58,6 +58,8 @@ selections:
- sshd_set_keepalive
- sshd_enable_warning_banner
- sshd_rekey_limit
+ - var_rekey_limit_size=512M
+ - var_rekey_limit_time=1hour
- sshd_use_strong_rng
- openssl_use_strong_entropy
From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 19 May 2020 17:57:12 +0200
Subject: [PATCH 2/5] Updated stable profile definitions.
---
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
tests/data/profile_stability/rhel8/stig.profile | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 23039c82b4..bdda39a903 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -214,6 +214,8 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
+- var_rekey_limit_size=512M
+- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4
- var_password_pam_maxrepeat=3
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index cd31b73700..ebef541921 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
- Red Hat Containers with a Red Hat Enterprise Linux 8 image'
documentation_complete: true
-extends: ospp
selections:
- account_disable_post_pw_expiration
- account_temp_expire_date
@@ -243,6 +242,8 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
+- var_rekey_limit_size=512M
+- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4
- var_password_pam_maxrepeat=3
From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:43:36 +0200
Subject: [PATCH 3/5] Improved how variables are handled in remediations.
---
shared/macros-ansible.jinja | 14 ++++++++++++++
shared/macros-bash.jinja | 15 +++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 56a3f5f3ec..6798a25d1f 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -1,3 +1,17 @@
+{{#
+Pass strings that correspond to XCCDF value names as arguments to this macro:
+ansible_instantiate_variables("varname1", "varname2")
+
+Then, assume that the task that follows can work with the variable by referencing it, e.g.
+value: "Setting={{ varname1 }}"
+
+#}}
+{{%- macro ansible_instantiate_variables() -%}}
+{{%- for name in varargs -%}}
+- (xccdf-var {{{ name }}})
+{{% endfor -%}}
+{{%- endmacro -%}}
+
{{#
A wrapper over the Ansible lineinfile module. This handles the most common
options for us. regex is optional and when blank, it won't be included in
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 01b9e62e7b..3a94fe5dd8 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -1,5 +1,20 @@
{{# ##### High level macros ##### #}}
+{{#
+Pass strings that correspond to XCCDF value names as arguments to this macro:
+bash_instantiate_variables("varname1", "varname2")
+
+Then, assume that variables of that names are defined and contain the correct value, e.g.
+echo "Setting=$varname1" >> config_file
+
+#}}
+{{%- macro bash_instantiate_variables() -%}}
+{{%- for name in varargs -%}}
+populate {{{ name }}}
+{{# this line is intentionally left blank #}}
+{{% endfor -%}}
+{{%- endmacro -%}}
+
{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
{{% if no_quotes -%}}
{{% if "$" in value %}}
From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:44:08 +0200
Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.
---
.../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++
.../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +--
2 files changed, 9 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
new file mode 100644
index 0000000000..43a2d4521f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all [0/453]
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
+
+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
index 2620c2d49e..0277f31392 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -3,7 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_rekey_limit_size
-populate var_rekey_limit_time
+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:49:04 +0200
Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.
---
.../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index 57aa090948..47796e5332 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,5 +1,4 @@
-{{% set filepath = "/etc/ssh/sshd_config" %}}
-{{% set parameter = "RekeyLimit" %}}
+{{% set filepath = "/etc/ssh/sshd_config" -%}}
<def-group>
@@ -7,7 +6,7 @@
<metadata>
<title>{{{ rule_title }}}</title>
{{{- oval_affected(products) }}}
- <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
</metadata>
<criteria comment="sshd is configured correctly or is not installed" operator="OR">
{{{- application_not_required_or_requirement_unset() }}}

102
SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch Normal file
View File

@ -0,0 +1,102 @@
From 279b1d8b585d3521d4910ec8aa69583f9b7031ac Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 25 May 2020 10:51:24 +0200
Subject: [PATCH 1/3] change rekey limit to 1G 1h in rhel8 ospp
---
.../guide/services/ssh/ssh_server/var_rekey_limit_size.var | 1 +
rhel8/profiles/ospp.profile | 2 +-
rhel8/profiles/stig.profile | 3 +++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
index 16dc376508..395a087a68 100644
--- a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
@@ -12,3 +12,4 @@ options:
sshd_default: "default"
default: "512M"
"512M": "512M"
+ "1G": "1G"
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index a5223a187f..0dca8350f9 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -58,7 +58,7 @@ selections:
- sshd_set_keepalive
- sshd_enable_warning_banner
- sshd_rekey_limit
- - var_rekey_limit_size=512M
+ - var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
- sshd_use_strong_rng
- openssl_use_strong_entropy
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 2bb81cf9dc..a156857647 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -44,3 +44,6 @@ selections:
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
+ - sshd_rekey_limit
+ - var_rekey_limit_size=512M
+ - var_rekey_limit_time=1hour
From d8ce7bb5f47665e40b6ec2c47e565bb7c46164a9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 25 May 2020 10:51:54 +0200
Subject: [PATCH 2/3] update stable ospp profile
---
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index bdda39a903..25f7922bf3 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -214,7 +214,7 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
-- var_rekey_limit_size=512M
+- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4
From 6623ece14b6534164a3b953fd43111cae4a3eeea Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 28 May 2020 09:30:58 +0200
Subject: [PATCH 3/3] propagate change also into stig profile
---
rhel8/profiles/stig.profile | 3 ---
tests/data/profile_stability/rhel8/stig.profile | 2 +-
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index a156857647..2bb81cf9dc 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -44,6 +44,3 @@ selections:
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
- - sshd_rekey_limit
- - var_rekey_limit_size=512M
- - var_rekey_limit_time=1hour
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index ebef541921..6c4270925f 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -242,7 +242,7 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
-- var_rekey_limit_size=512M
+- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4

798
SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch Normal file
View File

@ -0,0 +1,798 @@
From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:34:50 +0200
Subject: [PATCH 01/11] add rule, variables, check, remediations
---
.../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++
.../ssh_client_rekey_limit/bash/shared.sh | 8 ++++
.../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++
.../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++
.../var_ssh_client_rekey_limit_size.var | 15 +++++++
.../var_ssh_client_rekey_limit_time.var | 14 +++++++
shared/references/cce-redhat-avail.txt | 1 -
7 files changed, 118 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
new file mode 100644
index 0000000000..6d2bcbbd44
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all [0/453]
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+
+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
new file mode 100644
index 0000000000..43d0971ffc
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+
+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
new file mode 100644
index 0000000000..2412763e3f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
@@ -0,0 +1,39 @@
+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
+
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ <metadata>
+ <title>{{{ rule_title }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
+ </metadata>
+ <criteria comment="RekeyLimit is correctly configured for ssh client">
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+ <variable_component var_ref="var_ssh_client_rekey_limit_size"/>
+ <literal_component>[\s]+</literal_component>
+ <variable_component var_ref="var_ssh_client_rekey_limit_time"/>
+ <literal_component>[\s]*$</literal_component>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
+</def-group>
+
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
new file mode 100644
index 0000000000..a1b85b0ee5
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure session renegotiation for SSH client'
+
+description: |-
+ The <tt>RekeyLimit</tt> parameter specifies how often
+ the session key is renegotiated, both in terms of
+ amount of data that may be transmitted and the time
+ elapsed. To decrease the default limits, put line
+ <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+
+rationale: |-
+ By decreasing the limit based on the amount of data and enabling
+ time-based limit, effects of potential attacks against
+ encryption keys are limited.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82880-6
+
+references:
+ ospp: FCS_SSHS_EXT.1
+
+ocil_clause: 'it is commented out or is not set'
+
+ocil: |-
+ To check if RekeyLimit is set correctly, run the
+ following command:
+ <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
+ If configured properly, output should be
+ <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
new file mode 100644
index 0000000000..bcf051fd97
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'SSH client RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ ssh_client_default: "default"
+ default: "512M"
+ "512M": "512M"
+ "1G": "1G"
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
new file mode 100644
index 0000000000..31c76f9ab5
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH client RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ ssh_client_default: "none"
+ default: "1h"
+ "1hour": "1h"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 45d03a2c1d..e060d2fb1c 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-82880-6
CCE-82882-2
CCE-82883-0
CCE-82888-9
From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:35:24 +0200
Subject: [PATCH 02/11] add tests
---
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++
4 files changed, 15 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
new file mode 100644
index 0000000000..2ac0bbf350
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
new file mode 100644
index 0000000000..fec859fe05
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
new file mode 100644
index 0000000000..a6cd10163f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
new file mode 100644
index 0000000000..a6a2ba7adf
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:35:43 +0200
Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles
---
rhel8/profiles/ospp.profile | 5 +++++
tests/data/profile_stability/rhel8/ospp.profile | 3 +++
tests/data/profile_stability/rhel8/stig.profile | 3 +++
3 files changed, 11 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 0dca8350f9..07d32b814d 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -410,3 +410,8 @@ selections:
# Prevent Kerberos use by system daemons
- kerberos_disable_no_keytab
+
+ # set ssh client rekey limit
+ - ssh_client_rekey_limit
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 25f7922bf3..b0d7672c36 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -240,4 +240,7 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
+- ssh_client_rekey_limit
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
title: Protection Profile for General Purpose Operating Systems
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 6c4270925f..330ecc7e1e 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -269,4 +269,7 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
+- ssh_client_rekey_limit
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 28 May 2020 14:25:41 +0200
Subject: [PATCH 04/11] improve description of variables
---
.../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++--
.../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++---
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
index bcf051fd97..4e20104cba 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -2,14 +2,20 @@ documentation_complete: true
title: 'SSH client RekeyLimit - size'
-description: 'Specify the size component of the rekey limit.'
+description: |-
+ Specify the size component of the rekey limit. This limit signifies amount
+ of data. After this amount of data is transferred through the connection,
+ the session key is renegotiated. The number is followed by K, M or G for
+ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
+ configured according to ellabsed time.
+
+interactive: true
type: string
operator: equals
options:
- ssh_client_default: "default"
default: "512M"
"512M": "512M"
"1G": "1G"
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
index 31c76f9ab5..6143a5448c 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -1,14 +1,20 @@
documentation_complete: true
-title: 'SSH client RekeyLimit - size'
+title: 'SSH client RekeyLimit - time'
-description: 'Specify the size component of the rekey limit.'
+description: |-
+ Specify the time component of the rekey limit. This limit signifies amount
+ of data. The session key is renegotiated after the defined amount of time
+ passes. The number is followed by units such as H or M for hours or minutes.
+ Note that the RekeyLimit can be also configured according to amount of
+ transfered data.
+
+interactive: true
type: string
operator: equals
options:
- ssh_client_default: "none"
default: "1h"
"1hour": "1h"
From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 28 May 2020 14:26:12 +0200
Subject: [PATCH 05/11] fix tests and ansible
---
.../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +-
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++--
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++--
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +-
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--
5 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
index 6d2bcbbd44..bb6544a0a0 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_all [0/453]
+# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
index 2ac0bbf350..22c465b08f 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -1,4 +1,4 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
+
+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
index fec859fe05..0dc621b1da 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -1,4 +1,4 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
+
+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
index a6cd10163f..f6abf711da 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -1,3 +1,3 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index a6a2ba7adf..e64e4191bc 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -1,4 +1,5 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
+
+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 1 Jun 2020 14:29:47 +0200
Subject: [PATCH 06/11] fix test to use default value, remove rule from stig
---
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +-
rhel8/profiles/stig.profile | 1 +
tests/data/profile_stability/rhel8/stig.profile | 1 -
3 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index e64e4191bc..89d7069687 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -2,4 +2,4 @@
rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 2bb81cf9dc..8f12852e26 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -44,3 +44,4 @@ selections:
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
+ - "!ssh_client_rekey_limit"
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 330ecc7e1e..9b164eb5c2 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -269,7 +269,6 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
-- ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Jun 2020 12:38:19 +0200
Subject: [PATCH 07/11] rewrite oval to check for multiple locations
---
.../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++-------
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
index 2412763e3f..41fa0497ae 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
@@ -1,28 +1,17 @@
-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
-
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
<metadata>
<title>{{{ rule_title }}}</title>
{{{- oval_affected(products) }}}
- <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
+ <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
</metadata>
- <criteria comment="RekeyLimit is correctly configured for ssh client">
- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
+ <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
+ <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
- <ind:object object_ref="obj_ssh_client_rekey_limit"/>
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
- <ind:filepath>{{{ filepath }}}</ind:filepath>
- <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
<local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
<concat>
<literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
@@ -35,5 +24,26 @@
<external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
<external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
-</def-group>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
+ <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
+ <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:24:54 +0200
Subject: [PATCH 08/11] reqrite remediations
---
.../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++
.../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++
2 files changed, 29 insertions(+)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
index bb6544a0a0..36de503806 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -5,4 +5,20 @@
# disruption = low
{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}
+
+- name: Collect all include config files for ssh client which configure RekeyLimit
+ find:
+ paths: "/etc/ssh/ssh_config.d/"
+ contains: '^[\s]*RekeyLimit.*$'
+ patterns: "*.config"
+ register: ssh_config_include_files
+
+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client
+ lineinfile:
+ path: "{{ item }}"
+ regexp: '^[\s]*RekeyLimit.*$'
+ state: "absent"
+ loop: "{{ ssh_config_include_files.files }}"
+
{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
index 43d0971ffc..99f6f63c92 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
@@ -5,4 +5,17 @@
{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+main_config="/etc/ssh/ssh_config"
+include_directory="/etc/ssh/ssh_config.d"
+
+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
+ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
+fi
+
+for file in "$include_directory"/*.conf; do
+ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
+ sed -i '/^[\s]*RekeyLimit.*/d' "$file"
+ fi
+done
+
{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:25:14 +0200
Subject: [PATCH 09/11] add more tests
---
.../tests/bad_main_config_good_include_config.fail.sh | 4 ++++
.../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++
.../tests/ok_different_config_file.pass.sh | 3 +++
3 files changed, 11 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
new file mode 100644
index 0000000000..90314712af
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/basdh
+
+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
new file mode 100644
index 0000000000..9ba20b0290
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -rf /etc/ssh/ssh_config.d/*
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
new file mode 100644
index 0000000000..f725f6936f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf
From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:25:29 +0200
Subject: [PATCH 10/11] extend description and ocil
---
.../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index a1b85b0ee5..76f5f84090 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -10,6 +10,12 @@ description: |-
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
<tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+ Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
+ the <tt>include</tt> directive in the main config file
+ <tt>/etc/ssh/ssh_config</tt>. Check also other files in
+ <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
+ their names. Make sure that there is no file processed before
+ <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
@@ -27,8 +33,11 @@ references:
ocil_clause: 'it is commented out or is not set'
ocil: |-
- To check if RekeyLimit is set correctly, run the
- following command:
- <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
- If configured properly, output should be
- <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
+ To check if RekeyLimit is set correctly, run the following command: <pre>$
+ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> If configured
+ properly, output should be <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
+ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
+ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
+ main configuration file with the following command: <pre>sudo grep
+ RekeyLimit /etc/ssh/ssh_config</pre> The command should not return any
+ output.
From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Jun 2020 11:44:44 +0200
Subject: [PATCH 11/11] fix typos and wording
---
.../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++--
.../tests/bad_main_config_good_include_config.fail.sh | 2 +-
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 +
.../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-
.../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----
8 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index 76f5f84090..b054d9d221 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -14,8 +14,9 @@ description: |-
the <tt>include</tt> directive in the main config file
<tt>/etc/ssh/ssh_config</tt>. Check also other files in
<tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
- their names. Make sure that there is no file processed before
- <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
+ lexicographical order of file names. Make sure that there is no file
+ processed before <tt>02-rekey-limit.conf</tt> containing definition of
+ <tt>RekeyLimit</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
index 90314712af..58befb0107 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
@@ -1,4 +1,4 @@
-#!/bin/basdh
+#!/bin/bash
echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
index 22c465b08f..1803c26629 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
index 0dc621b1da..2c9e839255 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
index f6abf711da..7de108eafd 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index 89d7069687..4c047ed179 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
index 4e20104cba..c8dd8ef10e 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -7,7 +7,7 @@ description: |-
of data. After this amount of data is transferred through the connection,
the session key is renegotiated. The number is followed by K, M or G for
kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
- configured according to ellabsed time.
+ configured according to elapsed time.
interactive: true
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
index 6143a5448c..6223e8e38f 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -3,11 +3,10 @@ documentation_complete: true
title: 'SSH client RekeyLimit - time'
description: |-
- Specify the time component of the rekey limit. This limit signifies amount
- of data. The session key is renegotiated after the defined amount of time
- passes. The number is followed by units such as H or M for hours or minutes.
- Note that the RekeyLimit can be also configured according to amount of
- transfered data.
+ Specify the time component of the rekey limit. The session key is
+ renegotiated after the defined amount of time passes. The number is followed
+ by units such as H or M for hours or minutes. Note that the RekeyLimit can
+ be also configured according to amount of transfered data.
interactive: true

65
SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch Normal file
View File

@ -0,0 +1,65 @@
From 713bc3b17929d0c73b7898f42fe7935806a3bfff Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Tue, 16 Jun 2020 16:04:10 -0600
Subject: [PATCH] Remove grub documentation links from RHEL7 rationale
---
.../system/bootloader-grub2/grub2_admin_username/rule.yml | 7 -------
.../guide/system/bootloader-grub2/grub2_password/rule.yml | 7 -------
.../system/bootloader-grub2/grub2_uefi_password/rule.yml | 7 -------
3 files changed, 21 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
index 2042a17806..63a6a7a83c 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
@@ -24,13 +24,6 @@ description: |-
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
- {{% if product == "rhel7" %}}
- For more information on how to configure the grub2 superuser account and password,
- please refer to
- <ul>
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
- </ul>
- {{% endif %}}
severity: low
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
index 00cec58c77..985b8727d7 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
@@ -23,13 +23,6 @@ rationale: |-
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
- {{% if product == "rhel7" %}}
- For more information on how to configure the grub2 superuser account and password,
- please refer to
- <ul>
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
- </ul>
- {{% endif %}}
severity: high
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
index 954d6f21d0..3ce5a2df13 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -23,13 +23,6 @@ rationale: |-
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
- {{% if product == "rhel7" %}}
- For more information on how to configure the grub2 superuser account and password,
- please refer to
- <ul>
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
- </ul>
- {{% endif %}}
severity: medium

1216
SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch Normal file
View File

File diff suppressed because it is too large Load Diff

43
SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch Normal file
View File

@ -0,0 +1,43 @@
From 5a5b3bdead44bd24fb138bd7b9785d4e0809ff4b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Jul 2020 13:22:58 +0200
Subject: [PATCH 1/2] update wording for rhel7 profile
---
rhel7/profiles/hipaa.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile
index 4310561323..000441de52 100644
--- a/rhel7/profiles/hipaa.profile
+++ b/rhel7/profiles/hipaa.profile
@@ -12,6 +12,7 @@ description: |-
This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security
Rule identified for securing of electronic protected health information.
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
selections:
- grub2_password
From 0c5cc87c4f8aaed8eb199b77440ae0dc64658e4a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Jul 2020 13:23:18 +0200
Subject: [PATCH 2/2] update wording for rhel8 profile
---
rhel8/profiles/hipaa.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
index 8d20f9019c..0cb7fbed1f 100644
--- a/rhel8/profiles/hipaa.profile
+++ b/rhel8/profiles/hipaa.profile
@@ -12,6 +12,7 @@ description: |-
This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
Rule identified for securing of electronic protected health information.
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
selections:
- grub2_password

52
SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch Normal file
View File

@ -0,0 +1,52 @@
From 4c54b1cfb05961bde8248e03d27cabeca967e211 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 17 Aug 2020 10:59:15 +0200
Subject: [PATCH] Remove SCAP-1.3 SCAPVAL workarounds
These changes to the DS cause SRC-330 to fail in SCAPVAL-1.3.5.
In SCAPVAL-1.3.5 was fixed and these false positive workarounds are not
necessary anymore.
---
tests/run_scapval.py | 26 --------------------------
1 file changed, 26 deletions(-)
diff --git a/tests/run_scapval.py b/tests/run_scapval.py
index e1dd806ca1..bc2655b9fd 100755
--- a/tests/run_scapval.py
+++ b/tests/run_scapval.py
@@ -46,35 +46,9 @@ def process_results(result_path):
return ret_val
-def workaround_datastream(datastream_path):
- tree = ET.parse(datastream_path)
- root = tree.getroot()
- # group_id and user_id cannot be zero
- # tracked at https://github.com/OVAL-Community/OVAL/issues/23
- for group_id_element in root.findall(".//{%s}group_id" % oval_unix_ns):
- if group_id_element.text is not None:
- group_id_element.text = "-1"
- for user_id_element in root.findall(".//{%s}user_id" % oval_unix_ns):
- if user_id_element.text is not None:
- user_id_element.text = "-1"
- # OCIL checks for security_patches_up_to_date is causing fail
- # of SRC-377, when requirement is about OVAL checks.
- rule_id = "xccdf_org.ssgproject.content_rule_security_patches_up_to_date"
- for rule in root.findall(".//{%s}Rule[@id=\"%s\"]" % (xccdf_ns, rule_id)):
- for check in rule.findall("{%s}check" % xccdf_ns):
- system = check.get("system")
- if system == "http://scap.nist.gov/schema/ocil/2":
- rule.remove(check)
- output_path = datastream_path + ".workaround.xml"
- tree.write(output_path)
- return output_path
-
-
def test_datastream(datastream_path, scapval_path, scap_version):
result_path = datastream_path + ".result.xml"
report_path = datastream_path + ".report.html"
- if scap_version == "1.3":
- datastream_path = workaround_datastream(datastream_path)
scapval_command = [
"java",
"-Xmx1024m",

408
SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch Normal file
View File

@ -0,0 +1,408 @@
From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 8 Jul 2020 17:37:50 +0200
Subject: [PATCH 1/9] create rule, check, bash remediation
---
.../bash/shared.sh | 9 +++++
.../oval/shared.xml | 1 +
.../harden_openssl_crypto_policy/rule.yml | 33 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 2 --
4 files changed, 43 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
new file mode 100644
index 0000000000..9838a13c95
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
+
+cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
+
+#blank line at the begining to ease later readibility
+echo '' > "$file"
+echo "$cp" >> "$file"
+update-crypto-policies
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
new file mode 100644
index 0000000000..09199ce4da
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
@@ -0,0 +1 @@
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
new file mode 100644
index 0000000000..afbdb36a23
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Harden OpenSSL Crypto Policy'
+
+description: |-
+ Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
+ OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
+ This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
+ Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt> variable configured with predefined value.
+
+rationale: |-
+ The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 84286-4
+
+references:
+ nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
+ ospp : FCS_SSHS_EXT.1
+ srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
+
+ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
+
+ocil: |-
+ To verify if the OpenSSL uses defined Crypto Policy, run:
+ <pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>
+ and verify that the line matches
+ <pre>84285-6</pre>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index afc0d80417..01b321b6d5 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -904,8 +904,6 @@ CCE-84281-5
CCE-84282-3
CCE-84283-1
CCE-84284-9
-CCE-84285-6
-CCE-84286-4
CCE-84287-2
CCE-84288-0
CCE-84289-8
From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 8 Jul 2020 17:38:32 +0200
Subject: [PATCH 2/9] add tests
---
.../harden_openssl_crypto_policy/tests/correct.pass.sh | 7 +++++++
.../tests/correct_commented.fail.sh | 7 +++++++
.../tests/correct_followed_by_incorrect.fail.sh | 8 ++++++++
.../tests/empty_policy.fail.sh | 7 +++++++
.../tests/incorrect_followed_by_correct.pass.sh | 8 ++++++++
.../tests/incorrect_policy.fail.sh | 7 +++++++
.../tests/missing_file.fail.sh | 7 +++++++
7 files changed, 51 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
new file mode 100644
index 0000000000..9e59b30bd2
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
new file mode 100644
index 0000000000..91863849b3
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
new file mode 100644
index 0000000000..f44957d3e1
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
new file mode 100644
index 0000000000..5b14fe8ef4
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites=" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
new file mode 100644
index 0000000000..6be3bb2ffa
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
new file mode 100644
index 0000000000..b4fd0f97be
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
new file mode 100644
index 0000000000..2d11d227cb
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+rm -f "$configfile"
From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 9 Jul 2020 09:05:38 +0200
Subject: [PATCH 3/9] remove blank line from remediation
---
.../crypto/harden_openssl_crypto_policy/bash/shared.sh | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
index 9838a13c95..be6f84f83d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
@@ -3,7 +3,6 @@
cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
-#blank line at the begining to ease later readibility
-echo '' > "$file"
+
echo "$cp" >> "$file"
update-crypto-policies
From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 9 Jul 2020 09:06:02 +0200
Subject: [PATCH 4/9] fix separator regex in oval
---
.../crypto/harden_openssl_crypto_policy/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
index 09199ce4da..37be62ee39 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
@@ -1 +1 @@
-{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}}
From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 9 Jul 2020 09:06:29 +0200
Subject: [PATCH 5/9] reformat rule, fix wrong ocil
---
.../harden_openssl_crypto_policy/rule.yml | 22 ++++++++++++++-----
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
index afbdb36a23..d019d6cd32 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -5,13 +5,23 @@ prodtype: rhel8
title: 'Harden OpenSSL Crypto Policy'
description: |-
- Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
- OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
- This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
- Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt> variable configured with predefined value.
+ Crypto Policies are means of enforcing certain cryptographic settings for
+ selected applications including OpenSSL. OPenSSL is by default configured to
+ modify its configuration based on currently configured Crypto-Policy.
+ However, in certain cases it might be needed to override the Crypto Policy
+ specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
+ be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
+ <tt>xxx</tt> with arbitrary identifier, into
+ <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
+ <tt>update-crypto-policies</tt> so that changes are applied. Changes are
+ propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>.
+ This rule checks if this file contains predefined <tt>Ciphersuites</tt>
+ variable configured with predefined value.
rationale: |-
- The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
+ The Common Criteria requirements specify that certain parameters for OpenSSL
+ are configured e.g. cipher suites. Currently particular requirements
+ specified by CC are stricter compared to any existing Crypto Policy.
severity: medium
@@ -30,4 +40,4 @@ ocil: |-
To verify if the OpenSSL uses defined Crypto Policy, run:
<pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>
and verify that the line matches
- <pre>84285-6</pre>
+ <pre>Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</pre>
From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 13 Jul 2020 09:49:34 +0200
Subject: [PATCH 6/9] update references
---
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
index d019d6cd32..075e381906 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -31,8 +31,8 @@ identifiers:
references:
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
- ospp : FCS_SSHS_EXT.1
- srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
+ ospp: FCS_TLSC_EXT.1.1
+ srg: SRG-OS-000250-GPOS-00093
ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 13 Jul 2020 09:49:48 +0200
Subject: [PATCH 7/9] add ansible remediation
---
.../ansible/shared.yml | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
new file mode 100644
index 0000000000..d5c2c2b9f7
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
@@ -0,0 +1,16 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config"
+ lineinfile:
+ path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config"
+ line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+ create: yes
+ insertafter: EOF
+
+- name: "Update system crypto policy for changes to take effect"
+ command:
+ cmd: "update-crypto-policies"
From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Wed, 15 Jul 2020 09:26:11 +0200
Subject: [PATCH 8/9] fix typos
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: Jan Černý <jcerny@redhat.com>
---
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
index 075e381906..ce0351aa34 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy'
description: |-
Crypto Policies are means of enforcing certain cryptographic settings for
- selected applications including OpenSSL. OPenSSL is by default configured to
- modify its configuration based on currently configured Crypto-Policy.
+ selected applications including OpenSSL. OpenSSL is by default configured to
+ modify its configuration based on currently configured Crypto Policy.
However, in certain cases it might be needed to override the Crypto Policy
- specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
+ specific to OpenSSL and leave rest of the Crypto Policy intact. This can
be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
<tt>xxx</tt> with arbitrary identifier, into
<tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 15 Jul 2020 09:36:06 +0200
Subject: [PATCH 9/9] update rule references
---
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
index ce0351aa34..0cbead2a6d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -30,8 +30,8 @@ identifiers:
references:
- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
+ nist: SC-8(1),SC-13
ospp: FCS_TLSC_EXT.1.1
- srg: SRG-OS-000250-GPOS-00093
+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223
ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'

48
SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch Normal file
View File

@ -0,0 +1,48 @@
From eb3a18cea5776038d0aeef0299083fcd282a0177 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 17 Aug 2020 15:56:40 +0200
Subject: [PATCH] Add a missing Crypto Policy rule to OSPP.
The rule fell out by mistake, this addition complements #4682
---
rhel8/profiles/ospp.profile | 1 +
tests/data/profile_stability/rhel8/ospp.profile | 1 +
tests/data/profile_stability/rhel8/stig.profile | 5 +++--
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 5b5b5b711a..a651885eef 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -235,6 +235,7 @@ selections:
- enable_fips_mode
- var_system_crypto_policy=fips_ospp
- configure_crypto_policy
+ - configure_ssh_crypto_policy
- configure_bind_crypto_policy
- configure_openssl_crypto_policy
- configure_libreswan_crypto_policy
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 5aa3592496..13c4e6b08d 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -62,6 +62,7 @@ selections:
- configure_kerberos_crypto_policy
- configure_libreswan_crypto_policy
- configure_openssl_crypto_policy
+- configure_ssh_crypto_policy
- configure_tmux_lock_after_time
- configure_tmux_lock_command
- configure_usbguard_auditbackend
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 9b164eb5c2..c7fe02169a 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -77,6 +77,7 @@ selections:
- configure_kerberos_crypto_policy
- configure_libreswan_crypto_policy
- configure_openssl_crypto_policy
+- configure_ssh_crypto_policy
- configure_tmux_lock_after_time
- configure_tmux_lock_command
- configure_usbguard_auditbackend

22
SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch Normal file
View File

@ -0,0 +1,22 @@
From 87e62e90df9995de6aca436e9242c0ac4d72e136 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 18 Aug 2020 13:55:12 +0200
Subject: [PATCH] Added SRG to configure_ssh_crypto_policy
https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2016-04-25/finding/V-56935
---
.../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index e2dd99dbb5..51788a3226 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
cis@rhel8: 5.2.20
+ srg: SRG-OS-000250-GPOS-00093
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'

209
SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch Normal file
View File

@ -0,0 +1,209 @@
From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:31:59 +0200
Subject: [PATCH 1/3] modify rule description and ocil
---
.../selinux_all_devicefiles_labeled/rule.yml | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
index 765fca583e..1667557740 100644
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux'
description: |-
Device files, which are used for communication with important system
- resources, should be labeled with proper SELinux types. If any device
- files do not carry the SELinux type <tt>device_t</tt>, report the bug so
- that policy can be corrected. Supply information about what the device is
- and what programs use it.
+ resources, should be labeled with proper SELinux types. If any device files
+ carry the SELinux type <tt>device_t</tt> or <tt>unlabeled_t</tt>, report the
+ bug so that policy can be corrected. Supply information about what the
+ device is and what programs use it.
<br /><br />
- To check for unlabeled device files, run the following command:
+ To check for incorrectly labeled device files, run following commands:
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
+ <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
It should produce no output in a well-configured system.
rationale: |-
- If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
- cannot properly restrict access to the device file.
+ If a device file carries the SELinux type <tt>device_t</tt> or
+ <tt>unlabeled_t</tt>, then SELinux cannot properly restrict access to the
+ device file.
severity: medium
@@ -45,8 +47,9 @@ references:
ocil_clause: 'there is output'
ocil: |-
- To check for unlabeled device files, run the following command:
+ To check for incorrectly labeled device files, run following commands:
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
+ <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
It should produce no output in a well-configured system.
warnings:
From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:32:57 +0200
Subject: [PATCH 2/3] updated oval to check only device files
---
.../oval/shared.xml | 64 +++++++++++++------
1 file changed, 43 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
index 51b68008af..7dcfb98577 100644
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
@@ -2,32 +2,54 @@
<definition class="compliance" id="selinux_all_devicefiles_labeled" version="1">
<metadata>
<title>Device Files Have Proper SELinux Context</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- <platform>Red Hat Enterprise Linux 7</platform>
- <platform>Red Hat Enterprise Linux 8</platform>
- <platform>Red Hat Virtualization 4</platform>
- <platform>multi_platform_fedora</platform>
- <platform>multi_platform_ol</platform>
- <platform>multi_platform_wrlinux</platform>
- </affected>
- <description>All device files in /dev should be assigned an SELinux security context other than 'device_t'.</description>
+ {{{- oval_affected(products) }}}
+ <description>All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.</description>
</metadata>
- <criteria>
- <criterion comment="device_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" />
+ <criteria operator="AND">
+ <criterion comment="device_t in /dev" test_ref="test_selinux_dev_device_t" />
+ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_dev_unlabeled_t" />
</criteria>
</definition>
- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_all_devicefiles_labeled" version="2">
- <linux:object object_ref="object_selinux_all_devicefiles_labeled" />
- <linux:state state_ref="state_selinux_all_devicefiles_labeled" />
+
+ <!-- collect all special files from /dev directory -->
+ <unix:file_object id="object_dev_device_files" comment="device files within /dev directory" version="1">
+ <unix:behaviors recurse_direction="down" />
+ <unix:path operation="equals">/dev</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_block_or_char_device_file</filter>
+ </unix:file_object>
+
+ <unix:file_state id="state_block_or_char_device_file" version="1" comment="device files" >
+ <unix:type operation="pattern match">^(block|character) special$</unix:type>
+ </unix:file_state>
+
+ <local_variable id="variable_dev_device_files" comment="all device files within /dev directory" datatype="string" version="1">
+ <object_component object_ref="object_dev_device_files" item_field="filepath" />
+ </local_variable>
+
+
+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_dev_device_t" version="2">
+ <linux:object object_ref="object_selinux_dev_device_t" />
+ <linux:state state_ref="state_selinux_dev_device_t" />
</linux:selinuxsecuritycontext_test>
- <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1">
- <linux:behaviors recurse_direction="down" />
- <linux:path>/dev</linux:path>
- <linux:filename operation="pattern match">^.*$</linux:filename>
- <filter action="include">state_selinux_all_devicefiles_labeled</filter>
+ <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_dev_device_t" version="1">
+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
+ <filter action="include">state_selinux_dev_device_t</filter>
</linux:selinuxsecuritycontext_object>
- <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1">
+ <linux:selinuxsecuritycontext_state comment="device_t label" id="state_selinux_dev_device_t" version="1">
<linux:type datatype="string" operation="equals">device_t</linux:type>
</linux:selinuxsecuritycontext_state>
+
+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_dev_unlabeled_t" version="2">
+ <linux:object object_ref="object_selinux_dev_unlabeled_t" />
+ <linux:state state_ref="state_selinux_dev_unlabeled_t" />
+ </linux:selinuxsecuritycontext_test>
+ <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_dev_unlabeled_t" version="1">
+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
+ <filter action="include">state_selinux_dev_unlabeled_t</filter>
+ </linux:selinuxsecuritycontext_object>
+ <linux:selinuxsecuritycontext_state comment="unlabeled_t label" id="state_selinux_dev_unlabeled_t" version="1">
+ <linux:type datatype="string" operation="equals">unlabeled_t</linux:type>
+ </linux:selinuxsecuritycontext_state>
+
</def-group>
From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:33:26 +0200
Subject: [PATCH 3/3] add tests
---
.../tests/block_device_device_t.fail.sh | 4 ++++
.../tests/char_device_unlabeled_t.fail.sh | 14 ++++++++++++++
.../tests/regular_file_device_t.pass.sh | 4 ++++
.../tests/symlink_with_wrong_label.pass.sh | 4 ++++
4 files changed, 26 insertions(+)
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
new file mode 100644
index 0000000000..08c4142e5b
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mknod /dev/foo b 1 5
+chcon -t device_t /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
new file mode 100644
index 0000000000..1da85c2034
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# selinux does not allow unlabeled_t in /dev
+# we have to modify the selinux policy to allow that
+
+echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil
+semodule -i /tmp/unlabeled_t.cil
+
+mknod /dev/foo c 1 5
+chcon -t unlabeled_t /dev/foo
+
+
+mknod /dev/foo c 1 5
+chcon -t device_t /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
new file mode 100644
index 0000000000..d161951d7a
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /dev/foo
+restorecon -F /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
new file mode 100644
index 0000000000..a8280bf37e
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+ln -s /dev/cpu /dev/foo
+restorecon -F /dev/foo

23
SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch → SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
View File

@ -1,21 +1,20 @@
From 3d061cb6cb61ef8dc7bccc873bf338041687842e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 3 Feb 2020 21:23:59 +0100
Subject: [PATCH] Add Kickstart file for STIG profile
From 8a6e3fcbe387e6b5476375448964dab198d94959 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 2 Sep 2020 10:01:45 +0200
Subject: [PATCH] add CUI kickstart for rhel8
Based on OSPP KS
---
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 167 ++++++++++++++++++++++++++
rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++++++++++++++++++++++++++
1 file changed, 167 insertions(+)
create mode 100644 rhel8/kickstart/ssg-rhel8-stig-ks.cfg
create mode 100644 rhel8/kickstart/ssg-rhel8-cui-ks.cfg
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
new file mode 100644
index 0000000000..8c970dd6ff
index 0000000000..0957fded96
--- /dev/null
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8
+# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
@ -168,7 +167,7 @@ index 0000000000..8c970dd6ff
+# scap-security-guide on the installation media:
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_stig
+ profile = xccdf_org.ssgproject.content_profile_cui
+%end
+
+# Packages selection (%packages section is required)

124
SPECS/scap-security-guide.spec
View File

@ -1,6 +1,6 @@
Name: scap-security-guide
Version: 0.1.48
Release: 7%{?dist}
Version: 0.1.50
Release: 14%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@ -8,23 +8,34 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch
Patch2: scap-security-guide-0.1.49-max-path-len-skip-logs.patch
Patch3: scap-security-guide-0.1.49-drop-rsyslog-rules.patch
Patch4: scap-security-guide-0.1.49-update-cobit-uri.patch
Patch5: scap-security-guide-0.1.49-ssh-use-strong-rng.patch
Patch6: scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch
Patch7: scap-security-guide-0.1.49-add-stig-kickstart.patch
Patch8: scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
Patch9: scap-security-guide-0.1.49-add-few-srg-mappings.patch
# Patch10 was generated from squashed commit to prevent 'cannot find file to patch' situations
# from https://github.com/ComplianceAsCode/content/pull/5110
# HEAD 210ee56aab3f831c96810ca42189642274bd735f
Patch10: scap-security-guide-0.1.49-split-audit-rules.patch
Patch11: scap-security-guide-0.1.49-fix-remaining-srgs.patch
# Patch 12 and 13 had changes to file cce-redhat-avail.txt stripped out, to ease application of patch
Patch12: scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch
Patch13: scap-security-guide-0.1.49-add-cce-openssh-server.patch
Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
# Patch6 already contains typo fix
Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch
Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch
Patch15: scap-security-guide-0.1.52-fix_hipaa_description.patch
Patch16: scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch
Patch17: scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch
Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch
Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch
Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch
Patch22: scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch
Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch
Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
BuildArch: noarch
# To get python3 inside the buildroot require its path explicitly in BuildRequires
@ -72,6 +83,19 @@ present in %{name} package.
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
mkdir build
%build
@ -106,6 +130,68 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
- remove rationale from rules that contain defective links (rhbz#1854854)
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
- fixed link in a grub2 rule description (rhbz#1854854)
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
- Update the scapval invocation (RHBZ#1815007)
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
- Change the spec file macro invocation from patch to Patch
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
- fix description of HIPAA profile (RHBZ#1867559)
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
- Remove CCM from TLS Ciphersuites
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
- CIS Ansible fixes (RHBZ#1760734)
- HIPAA Ansible fixes (RHBZ#1832760)
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
- HIPAA Profile (RHBZ#1832760)
- Enable build of RHEL8 HIPAA Profile
- Add kickstarts for HIPAA
- CIS Profile (RHBZ#1760734)
- Add Ansible fix for sshd_set_max_sessions
- Add CIS Profile content attribution to Center for Internet Security
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Fix Ansible for no_direct_root_logins
- Fix Ansible template for SELinux booleans
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
- Update to the latest upstream release (RHBZ#1815007)
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
- Update to the latest upstream release (RHBZ#1815007)
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
- Update baseline package list of OSPP profile