import CS scap-security-guide-0.1.69-2.el9

This commit is contained in:
eabdullin 2023-09-21 20:24:57 +00:00
parent e6b9e29b70
commit 2877fa635f
12 changed files with 402 additions and 5487 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/scap-security-guide-0.1.66.tar.bz2 SOURCES/scap-security-guide-0.1.69.tar.bz2

View File

@ -1 +1 @@
fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2 60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2

View File

@ -1,106 +0,0 @@
From a8cea205d5f9f975ca03ef39e79d18698236cfe2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 13 Feb 2023 17:49:14 +0100
Subject: [PATCH 3/5] Change custom zones check in firewalld_sshd_port_enabled
Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
Patch-status: Change custom zones check in firewalld_sshd_port_enabled
---
.../oval/shared.xml | 68 +++++++++++++++----
1 file changed, 54 insertions(+), 14 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
index 4adef2e53f..d7c96665b4 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
@@ -133,9 +133,10 @@
OVAL resources in order to detect and assess only active zone, which are zones with at
least one NIC assigned to it. Since it was possible to easily have the list of active
zones, it was cumbersome to use that list in other OVAL objects without introduce a high
- level of complexity to make sure environments with multiple NICs and multiple zones are
- in use. So, in favor of simplicity and readbility it was decided to work with a static
- list. It means that, in the future, it is possible this list needs to be updated. -->
+ level of complexity to ensure proper assessment in environments where multiple NICs and
+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to
+ work with a static list. It means that, in the future, it is possible this list needs to
+ be updated. -->
<local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
datatype="string"
comment="Regex containing the list of zones files delivered in the firewalld package">
@@ -145,23 +146,62 @@
<!-- If any default zone is modified by the administrator, the respective zone file is placed
in the /etc/firewalld/zones dir in order to override the default zone settings. The same
directory is applicable for new zones created by the administrator. Therefore, all files
- in this directory should also allow SSH. -->
- <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
+ in this directory should also allow SSH.
+ This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
+ which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
+ variable test is the simplest way to check if all custom zones are allowing ssh, but have
+ an impact in transparency since the objects are not shown in reports. The transparency
+ impact can be workarounded by using other OVAL objects, but this would impact in
+ readability and would increase complexity. This solution is in favor of simplicity. -->
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
check="all" check_existence="at_least_one_exists" version="1"
comment="SSH service is defined in all zones created or modified by the administrator">
- <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
- <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
- </ind:xmlfilecontent_test>
+ <ind:object
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
+ </ind:variable_test>
+
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
+ version="1">
+ <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
+ datatype="int" version="1"
+ comment="Variable including number of custom zone files allowing ssh">
+ <count>
+ <object_component item_field="filepath"
+ object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
+ </count>
+ </local_variable>
<ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
- <ind:path>/etc/firewalld/zones</ind:path>
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
+ <ind:path>/etc/firewalld/zones</ind:path>
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
</ind:xmlfilecontent_object>
- <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
- </ind:xmlfilecontent_state>
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
+ version="1">
+ <ind:value datatype="int" operation="equals" var_check="at least one"
+ var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
+ </ind:variable_state>
+
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
+ datatype="int" version="1"
+ comment="Variable including number of custom zone files present in /etc/firewalld/zones">
+ <count>
+ <object_component item_field="filepath"
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
+ </count>
+ </local_variable>
+
+ <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
+ recurse_file_system="local"/>
+ <unix:path>/etc/firewalld/zones</unix:path>
+ <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
+ </unix:file_object>
<!-- SSH service is configured as expected -->
<!-- The firewalld package brings many services already defined out-of-box, including SSH.
--
2.39.1

View File

@ -1,122 +0,0 @@
From 25216f8eb9caa6e783322158967b689e8bd784e7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 13 Feb 2023 17:49:14 +0100
Subject: [PATCH 4/5] Accept required and requisite control flag for
pam_pwhistory
Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
Patch-status: Accept required and requisite control flag for pam_pwhistory
---
controls/cis_rhel8.yml | 2 +-
controls/cis_rhel9.yml | 2 +-
controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml | 2 +-
.../rule.yml | 4 ++++
.../var_password_pam_remember_control_flag.var | 1 +
products/rhel8/profiles/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
8 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index c0406f97b8..efc53d03fd 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2267,7 +2267,7 @@ controls:
rules:
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_password_pam_remember=5
- id: 5.5.4
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
index 7299a39528..30f7e8d182 100644
--- a/controls/cis_rhel9.yml
+++ b/controls/cis_rhel9.yml
@@ -2112,7 +2112,7 @@ controls:
rules:
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_password_pam_remember=5
- id: 5.5.4
diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
index 1e8286a4a4..b02b7da419 100644
--- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
+++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
@@ -5,7 +5,7 @@ controls:
title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
rules:
- var_password_pam_remember=5
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
status: automated
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
index c549de2e96..d2b220ef9f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -129,3 +129,7 @@ warnings:
Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
+ If a custom profile was created and used in the system before this authselect feature was
+ available, the new feature can't be used with this custom profile and the
+ remediation will fail. In this case, the custom profile should be recreated or manually
+ updated.
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
index 8f01007550..1959936c04 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
@@ -20,4 +20,5 @@ options:
"sufficient": "sufficient"
"binding": "binding"
"ol8": "required,requisite"
+ "requisite_or_required": "requisite,required"
default: "requisite"
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 8c64868619..a3f7dc9720 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -37,7 +37,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 6970a32b4f..5d694c6ae1 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -433,7 +433,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
-- var_password_pam_remember_control_flag=requisite
+- var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 314f14e4f6..e165525b90 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -441,7 +441,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
-- var_password_pam_remember_control_flag=requisite
+- var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
--
2.39.1

View File

@ -1,147 +0,0 @@
From 2bfdf9fa7e8309b079e657460671818e77b9a233 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 13 Feb 2023 17:49:15 +0100
Subject: [PATCH 5/5] remove rule logind_session_timeout and associated
variable from profiles
Patch-name: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
Patch-status: remove rule logind_session_timeout and associated variable from profiles
---
controls/anssi.yml | 2 --
products/rhel8/profiles/cjis.profile | 2 --
products/rhel8/profiles/ospp.profile | 2 --
products/rhel8/profiles/pci-dss.profile | 2 --
products/rhel8/profiles/rht-ccp.profile | 2 --
tests/data/profile_stability/rhel8/ospp.profile | 2 --
tests/data/profile_stability/rhel8/pci-dss.profile | 2 --
7 files changed, 14 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 607ce976ef..9e631d1de4 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -676,8 +676,6 @@ controls:
- var_accounts_tmout=10_min
- sshd_set_idle_timeout
- sshd_idle_timeout_value=10_minutes
- - logind_session_timeout
- - var_logind_session_timeout=10_minutes
- sshd_set_keepalive
- id: R30
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 22ae5aac72..30843b692e 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -104,7 +104,6 @@ selections:
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
- - logind_session_timeout
- sshd_set_keepalive_0
- disable_host_auth
- sshd_disable_root_login
@@ -120,7 +119,6 @@ selections:
- set_firewalld_default_zone
- firewalld_sshd_port_enabled
- sshd_idle_timeout_value=30_minutes
- - var_logind_session_timeout=30_minutes
- inactivity_timeout_value=30_minutes
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_tcp_syncookies
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 0fe17b2085..fb46ab4c0c 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -300,8 +300,6 @@ selections:
## We deliberately set sshd timeout to 1 minute before tmux lock timeout
- sshd_idle_timeout_value=14_minutes
- sshd_set_idle_timeout
- - logind_session_timeout
- - var_logind_session_timeout=14_minutes
## Disable Unauthenticated Login (such as Guest Accounts)
## FIA_UAU.1
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
index c63c5f4a07..c0c9b12773 100644
--- a/products/rhel8/profiles/pci-dss.profile
+++ b/products/rhel8/profiles/pci-dss.profile
@@ -17,7 +17,6 @@ selections:
- var_accounts_passwords_pam_faillock_deny=6
- var_accounts_passwords_pam_faillock_unlock_time=1800
- sshd_idle_timeout_value=15_minutes
- - var_logind_session_timeout=15_minutes
- var_password_pam_minlen=7
- var_password_pam_minclass=2
- var_accounts_maximum_age_login_defs=90
@@ -110,7 +109,6 @@ selections:
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
- sshd_set_idle_timeout
- - logind_session_timeout
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- accounts_password_pam_minlen
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index 6856951bff..01133a9bde 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -12,7 +12,6 @@ selections:
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- sshd_idle_timeout_value=5_minutes
- - var_logind_session_timeout=5_minutes
- var_accounts_minimum_age_login_defs=7
- var_accounts_passwords_pam_faillock_deny=5
- var_accounts_password_warn_age_login_defs=7
@@ -89,7 +88,6 @@ selections:
- package_telnet_removed
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- - logind_session_timeout
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- disable_host_auth
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index a31f3245d8..267b66a4f8 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -104,7 +104,6 @@ selections:
- kernel_module_firewire-core_disabled
- kernel_module_sctp_disabled
- kernel_module_tipc_disabled
-- logind_session_timeout
- mount_option_boot_nodev
- mount_option_boot_nosuid
- mount_option_dev_shm_nodev
@@ -254,7 +253,6 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- sshd_idle_timeout_value=14_minutes
-- var_logind_session_timeout=14_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
index 5c77ea6a85..902d0084fc 100644
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
@@ -109,7 +109,6 @@ selections:
- gid_passwd_group_same
- grub2_audit_argument
- install_hids
-- logind_session_timeout
- no_empty_passwords
- package_aide_installed
- package_audispd-plugins_installed
@@ -137,7 +136,6 @@ selections:
- var_accounts_passwords_pam_faillock_deny=6
- var_accounts_passwords_pam_faillock_unlock_time=1800
- sshd_idle_timeout_value=15_minutes
-- var_logind_session_timeout=15_minutes
- var_password_pam_minlen=7
- var_password_pam_minclass=2
- var_accounts_maximum_age_login_defs=90
--
2.39.1

View File

@ -0,0 +1,52 @@
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 8 Aug 2023 15:15:21 +0200
Subject: [PATCH] Remove kernel cmdline check
The OVAL in rule enable_fips_mode contains multiple checks. One
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
Although this is useful for latest RHEL versions, this file doesn't
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
remediation on these RHEL versions.
We want the same OVAL behavior on all minor RHEL releases, therefore
we will remove this test from the OVAL completely.
Related to: https://github.com/ComplianceAsCode/content/pull/10897
---
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
1 file changed, 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 88aae7aaab9..3b50e07060e 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -12,8 +12,6 @@
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
@@ -57,19 +55,6 @@
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
- check="all" check_existence="all_exist"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
<ind:variable_test id="test_system_crypto_policy_value" version="1"
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />

View File

@ -0,0 +1,272 @@
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:02:08 +0200
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
This commit only improves readability without any technical impact in
the OVAL logic.
---
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
1 file changed, 50 insertions(+), 31 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index fe3f96f52a5..0ec076a5fb7 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -1,32 +1,38 @@
<def-group>
- <definition class="compliance" id="enable_fips_mode" version="1">
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
+ <extend_definition definition_ref="etc_system_fips_exists"
+ comment="check /etc/system-fips exists"/>
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
+ comment="check sysctl crypto.fips_enabled = 1"/>
+ <extend_definition definition_ref="enable_dracut_fips_module"
+ comment="Dracut FIPS module is enabled"/>
+ <extend_definition definition_ref="configure_crypto_policy"
+ comment="system cryptography policy is configured"/>
+ <criterion test_ref="test_system_crypto_policy_value"
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
- <extend_definition comment="Generic test for s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for s390x architecture"/>
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
- <extend_definition comment="Generic test for NOT s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for NOT s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
- test_ref="test_grubenv_fips_mode" />
+ <criterion test_ref="test_grubenv_fips_mode"
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -34,58 +40,71 @@
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
- check="all" check_existence="all_exist" version="1">
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
- check="all" check_existence="all_exist" version="1">
+
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
+
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
</ind:variable_object>
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
+
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
{{%- endif %}}
</ind:variable_state>
+
{{% if product in ["ol8","rhel8"] %}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
- comment="Fips mode selected in running kernel opts" version="1">
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
+ check="all" check_existence="all_exist"
+ comment="Fips mode selected in running kernel opts">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
- version="1">
+
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
<ind:pattern operation="pattern match">fips=1</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
+
+ <external_variable id="var_system_crypto_policy" version="1"
+ datatype="string" comment="defined crypto policy"/>
</def-group>
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:20:33 +0200
Subject: [PATCH 2/2] Improve OVAL comments for better readability
Simplified the comments and aligned the respective lines to the
project Style Guides.
---
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 0ec076a5fb7..88aae7aaab9 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -3,36 +3,36 @@
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
<extend_definition definition_ref="etc_system_fips_exists"
- comment="check /etc/system-fips exists"/>
+ comment="check /etc/system-fips file existence"/>
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
- comment="check sysctl crypto.fips_enabled = 1"/>
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
<extend_definition definition_ref="enable_dracut_fips_module"
- comment="Dracut FIPS module is enabled"/>
+ comment="dracut FIPS module is enabled"/>
<extend_definition definition_ref="configure_crypto_policy"
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for s390x architecture"/>
+ comment="generic test for s390x architecture"/>
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for NOT s390x architecture"/>
+ comment="generic test for non-s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
<criterion test_ref="test_grubenv_fips_mode"
comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -42,7 +42,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -59,7 +59,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -71,7 +71,7 @@
</ind:textfilecontent54_object>
<ind:variable_test id="test_system_crypto_policy_value" version="1"
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
@@ -81,7 +81,8 @@
</ind:variable_object>
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
+to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
@@ -94,7 +95,7 @@
{{% if product in ["ol8","rhel8"] %}}
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
check="all" check_existence="all_exist"
- comment="Fips mode selected in running kernel opts">
+ comment="FIPS mode is selected in running kernel options">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
@@ -106,5 +107,5 @@
{{% endif %}}
<external_variable id="var_system_crypto_policy" version="1"
- datatype="string" comment="defined crypto policy"/>
+ datatype="string" comment="variable which selects the crypto policy"/>
</def-group>

View File

@ -0,0 +1,21 @@
From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 15 Aug 2023 15:17:16 +0200
Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile
rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8
---
controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
index d5fe6e1327b..9d9dc579fc4 100644
--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
+++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
@@ -7,6 +7,4 @@ controls:
rules:
- sshd_enable_pam
- sysctl_crypto_fips_enabled
- - harden_sshd_ciphers_openssh_conf_crypto_policy
- - harden_sshd_macs_openssh_conf_crypto_policy
status: automated

View File

@ -0,0 +1,30 @@
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 17 Aug 2023 10:50:09 +0200
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
---
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
2 files changed, 4 insertions(+)
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel8/profiles/anssi_bp28_high.profile
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel9/profiles/anssi_bp28_high.profile
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'

View File

@ -5,22 +5,19 @@
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly # global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.66 Version: 0.1.69
Release: 1%{?dist} Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Rsyslog files rules remediations # Fix rule enable_fips_mode
Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
# Extends rsyslog_logfiles_attributes_modify template for permissions Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch # remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile
# Change custom zones check in firewalld_sshd_port_enabled Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch # remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
# Accept required and requisite control flag for pam_pwhistory Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
# remove rule logind_session_timeout and associated variable from profiles
Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: libxslt BuildRequires: libxslt
@ -108,6 +105,22 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif %endif
%changelog %changelog
* Thu Aug 17 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-2
- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697)
- Fix ANSSI High profile with secure boot (RHBZ#2221697)
* Wed Aug 09 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- Rebase to a new upstream release 0.1.69 (RHBZ#2221697)
- Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657)
- SSSD configuration files are now created with correct permissions whenever remediating SSSD related rules (RHBZ#2211511)
- add warning about migration of network configuration files when upgrading from RHEL 8 to RHEL 9 (RHBZ#2172555)
- Correct URL used to download CVE checks. (RHBZ#2223178)
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155790)
- Fixed excess quotes in journald configuration files (RHBZ#2193169)
- Change rules checking home directories to apply only to local users (RHBZ#2203791)
- Change rules checking password age to apply only to local users (RHBZ#2213958)
- Updated man page (RHBZ#2060028)
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1 * Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
- Rebase to a new upstream release 0.1.66 (RHBZ#2169443) - Rebase to a new upstream release 0.1.66 (RHBZ#2169443)
- Fix remediation of audit watch rules (RHBZ#2169441) - Fix remediation of audit watch rules (RHBZ#2169441)