apply updates related to RHEL9 OSPP profile
Resolves: rhbz#1998583 Resolves: rhbz#2081688 Resolves: rhbz#2081728 Resolves: rhbz#2092799 Resolves: rhbz#2108569 Resolves: rhbz#2114979
This commit is contained in:
parent
14378e5ed6
commit
34b3a0af53
2093
scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
Normal file
2093
scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
Normal file
File diff suppressed because one or more lines are too long
@ -0,0 +1,90 @@
|
|||||||
|
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:15 +0200
|
||||||
|
Subject: [PATCH 1/4] fix ospp references
|
||||||
|
|
||||||
|
---
|
||||||
|
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
index c151d3c4aa1..f9b46c51ddd 100644
|
||||||
|
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
@@ -34,6 +34,7 @@ references:
|
||||||
|
disa: CCI-000213
|
||||||
|
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
|
||||||
|
nist: AC-3
|
||||||
|
+ ospp: FIA_UAU.1,FIA_AFL.1
|
||||||
|
srg: SRG-OS-000480-GPOS-00227
|
||||||
|
|
||||||
|
ocil: |-
|
||||||
|
|
||||||
|
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:42 +0200
|
||||||
|
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index b47630c62b0..dcc41970043 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -115,7 +115,7 @@ selections:
|
||||||
|
- coredump_disable_storage
|
||||||
|
- coredump_disable_backtraces
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- - var_authselect_profile=sssd
|
||||||
|
+ - var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
- use_pam_wheel_for_su
|
||||||
|
|
||||||
|
|
||||||
|
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:54 +0200
|
||||||
|
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel8/profiles/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||||
|
index 39ad1797c7a..ebec8a3a6f9 100644
|
||||||
|
--- a/products/rhel8/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel8/profiles/ospp.profile
|
||||||
|
@@ -220,7 +220,7 @@ selections:
|
||||||
|
- var_accounts_max_concurrent_login_sessions=10
|
||||||
|
- accounts_max_concurrent_login_sessions
|
||||||
|
- securetty_root_login_console_only
|
||||||
|
- - var_authselect_profile=sssd
|
||||||
|
+ - var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
- var_password_pam_unix_remember=5
|
||||||
|
- accounts_password_pam_unix_remember
|
||||||
|
|
||||||
|
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 13:55:05 +0200
|
||||||
|
Subject: [PATCH 4/4] update profile stability test
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
index 5d73a8c6fef..21e93e310d5 100644
|
||||||
|
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
@@ -242,7 +242,7 @@ selections:
|
||||||
|
- var_slub_debug_options=P
|
||||||
|
- var_auditd_flush=incremental_async
|
||||||
|
- var_accounts_max_concurrent_login_sessions=10
|
||||||
|
-- var_authselect_profile=sssd
|
||||||
|
+- var_authselect_profile=minimal
|
||||||
|
- var_password_pam_unix_remember=5
|
||||||
|
- var_selinux_state=enforcing
|
||||||
|
- var_selinux_policy_name=targeted
|
302
scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
Normal file
302
scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
Normal file
@ -0,0 +1,302 @@
|
|||||||
|
From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 27 Jul 2022 13:49:05 +0200
|
||||||
|
Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 3 ---
|
||||||
|
1 file changed, 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index dcc41970043..0902abf58db 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -110,10 +110,7 @@ selections:
|
||||||
|
- package_gnutls-utils_installed
|
||||||
|
|
||||||
|
### Login
|
||||||
|
- - disable_users_coredumps
|
||||||
|
- sysctl_kernel_core_pattern
|
||||||
|
- - coredump_disable_storage
|
||||||
|
- - coredump_disable_backtraces
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
|
||||||
|
From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 12:17:27 +0200
|
||||||
|
Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL
|
||||||
|
|
||||||
|
actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
|
||||||
|
I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
|
||||||
|
---
|
||||||
|
shared/templates/sysctl/oval.template | 5 -----
|
||||||
|
1 file changed, 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
||||||
|
index 1a7c4979bbe..e0c6f72f928 100644
|
||||||
|
--- a/shared/templates/sysctl/oval.template
|
||||||
|
+++ b/shared/templates/sysctl/oval.template
|
||||||
|
@@ -17,13 +17,8 @@
|
||||||
|
{{% endif %}}
|
||||||
|
{{%- endmacro -%}}
|
||||||
|
{{%- macro sysctl_match() -%}}
|
||||||
|
-{{%- if SYSCTLVAL == "" -%}}
|
||||||
|
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
|
||||||
|
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
-{{%- else -%}}
|
||||||
|
<ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
|
||||||
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
-{{%- endif -%}}
|
||||||
|
{{%- endmacro -%}}
|
||||||
|
{{%- if "P" in FLAGS -%}}
|
||||||
|
|
||||||
|
|
||||||
|
From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 13:00:45 +0200
|
||||||
|
Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid
|
||||||
|
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++
|
||||||
|
2 files changed, 36 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..7fa36fb940e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
@@ -0,0 +1,36 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||||
|
+
|
||||||
|
+title: 'Configure file name of core dumps'
|
||||||
|
+
|
||||||
|
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
|
||||||
|
+
|
||||||
|
+rationale: |-
|
||||||
|
+ The default coredump filename is <pre>core</pre>. By setting
|
||||||
|
+ <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
|
||||||
|
+ <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
|
||||||
|
+ <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
|
||||||
|
+ <pre>.PID</pre> will be appended to the filename.
|
||||||
|
+
|
||||||
|
+severity: medium
|
||||||
|
+
|
||||||
|
+identifiers:
|
||||||
|
+ cce@rhel9: CCE-86003-1
|
||||||
|
+
|
||||||
|
+references:
|
||||||
|
+ ospp: FMT_SMF_EXT.1
|
||||||
|
+
|
||||||
|
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||||
|
+
|
||||||
|
+ocil: |-
|
||||||
|
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
|
||||||
|
+
|
||||||
|
+platform: machine
|
||||||
|
+
|
||||||
|
+template:
|
||||||
|
+ name: sysctl
|
||||||
|
+ vars:
|
||||||
|
+ sysctlvar: kernel.core_uses_pid
|
||||||
|
+ datatype: int
|
||||||
|
+ sysctlval: '0'
|
||||||
|
|
||||||
|
From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 09:08:37 +0200
|
||||||
|
Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string
|
||||||
|
|
||||||
|
---
|
||||||
|
.../rule.yml | 49 +++++++++++++++++++
|
||||||
|
2 files changed, 49 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..089bb1481aa
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
@@ -0,0 +1,49 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||||
|
+
|
||||||
|
+title: 'Disable storing core dumps'
|
||||||
|
+
|
||||||
|
+description: |-
|
||||||
|
+ The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
|
||||||
|
+ name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
|
||||||
|
+ behaves differently based on another related option. If
|
||||||
|
+ <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
|
||||||
|
+ <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
|
||||||
|
+ created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
|
||||||
|
+ <tt>0</tt>, no coredump is saved.
|
||||||
|
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
|
||||||
|
+
|
||||||
|
+rationale: |-
|
||||||
|
+ A core dump includes a memory image taken at the time the operating system
|
||||||
|
+ terminates an application. The memory image could contain sensitive data and is generally useful
|
||||||
|
+ only for developers trying to debug problems.
|
||||||
|
+
|
||||||
|
+severity: medium
|
||||||
|
+
|
||||||
|
+requires:
|
||||||
|
+ - sysctl_kernel_core_uses_pid
|
||||||
|
+
|
||||||
|
+conflicts:
|
||||||
|
+ - sysctl_kernel_core_pattern
|
||||||
|
+
|
||||||
|
+identifiers:
|
||||||
|
+ cce@rhel9: CCE-86005-6
|
||||||
|
+
|
||||||
|
+references:
|
||||||
|
+ ospp: FMT_SMF_EXT.1
|
||||||
|
+
|
||||||
|
+ocil_clause: |-
|
||||||
|
+ the returned line does not have a value of ''.
|
||||||
|
+
|
||||||
|
+ocil: |
|
||||||
|
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
|
||||||
|
+
|
||||||
|
+platform: machine
|
||||||
|
+
|
||||||
|
+template:
|
||||||
|
+ name: sysctl
|
||||||
|
+ vars:
|
||||||
|
+ sysctlvar: kernel.core_pattern
|
||||||
|
+ sysctlval: "''"
|
||||||
|
+ datatype: string
|
||||||
|
|
||||||
|
From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 10:40:47 +0200
|
||||||
|
Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index 0902abf58db..b1b18261d48 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -110,7 +110,8 @@ selections:
|
||||||
|
- package_gnutls-utils_installed
|
||||||
|
|
||||||
|
### Login
|
||||||
|
- - sysctl_kernel_core_pattern
|
||||||
|
+ - sysctl_kernel_core_pattern_empty_string
|
||||||
|
+ - sysctl_kernel_core_uses_pid
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
|
||||||
|
From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 13:01:12 +0200
|
||||||
|
Subject: [PATCH 6/8] describe beneficial dependency between
|
||||||
|
sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid
|
||||||
|
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++-----
|
||||||
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
index 7fa36fb940e..d6d2c468c10 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
|
||||||
|
description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
|
||||||
|
|
||||||
|
rationale: |-
|
||||||
|
- The default coredump filename is <pre>core</pre>. By setting
|
||||||
|
- <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
|
||||||
|
- <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
|
||||||
|
- <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
|
||||||
|
- <pre>.PID</pre> will be appended to the filename.
|
||||||
|
+ The default coredump filename is <tt>core</tt>. By setting
|
||||||
|
+ <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
|
||||||
|
+ <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
|
||||||
|
+ <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
|
||||||
|
+ <tt>.PID</tt> will be appended to the filename.
|
||||||
|
+ When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
|
||||||
|
+ is ensured that no core dumps are generated and also no confusing error
|
||||||
|
+ messages are printed by a shell.
|
||||||
|
|
||||||
|
severity: medium
|
||||||
|
|
||||||
|
|
||||||
|
From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 10:53:37 +0200
|
||||||
|
Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
|
||||||
|
sysctl_kernel_core_pattern_empty_string
|
||||||
|
|
||||||
|
they are modifying the same configuration
|
||||||
|
---
|
||||||
|
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
index 771c4d40e0f..c27a9e7ecf3 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
@@ -13,6 +13,9 @@ rationale: |-
|
||||||
|
|
||||||
|
severity: medium
|
||||||
|
|
||||||
|
+conflicts:
|
||||||
|
+ - sysctl_kernel_core_pattern_empty_string
|
||||||
|
+
|
||||||
|
identifiers:
|
||||||
|
cce@rhcos4: CCE-82527-3
|
||||||
|
cce@rhel8: CCE-82215-5
|
||||||
|
|
||||||
|
From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Tue, 9 Aug 2022 16:43:20 +0200
|
||||||
|
Subject: [PATCH 8/8] fix ocils
|
||||||
|
|
||||||
|
---
|
||||||
|
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++-
|
||||||
|
.../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++--
|
||||||
|
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
index c27a9e7ecf3..1a540ce20b3 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
@@ -29,7 +29,10 @@ references:
|
||||||
|
stigid@ol8: OL08-00-010671
|
||||||
|
stigid@rhel8: RHEL-08-010671
|
||||||
|
|
||||||
|
-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||||
|
+ocil_clause: |-
|
||||||
|
+ the returned line does not have a value of "|/bin/false", or a line is not
|
||||||
|
+ returned and the need for core dumps is not documented with the Information
|
||||||
|
+ System Security Officer (ISSO) as an operational requirement
|
||||||
|
|
||||||
|
ocil: |
|
||||||
|
{{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
index d6d2c468c10..8f51f97c16c 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||||
|
@@ -24,10 +24,10 @@ identifiers:
|
||||||
|
references:
|
||||||
|
ospp: FMT_SMF_EXT.1
|
||||||
|
|
||||||
|
-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||||
|
+ocil_clause: 'the returned line does not have a value of 0'
|
||||||
|
|
||||||
|
ocil: |-
|
||||||
|
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
|
||||||
|
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
|
||||||
|
|
||||||
|
platform: machine
|
||||||
|
|
@ -0,0 +1,47 @@
|
|||||||
|
From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 20 Jul 2022 14:18:13 +0200
|
||||||
|
Subject: [PATCH] change remediations to include the "=" sign
|
||||||
|
|
||||||
|
---
|
||||||
|
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
|
||||||
|
.../crypto/configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||||
|
index c335a9e7fa2..852ca18cf79 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
lineinfile:
|
||||||
|
create: yes
|
||||||
|
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
|
||||||
|
- line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||||
|
+ line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||||
|
path: {{{ openssl_cnf_path }}}
|
||||||
|
when:
|
||||||
|
- test_crypto_policy_group.stdout is defined
|
||||||
|
@@ -29,7 +29,7 @@
|
||||||
|
- name: "Add crypto_policy group and set include opensslcnf.config"
|
||||||
|
lineinfile:
|
||||||
|
create: yes
|
||||||
|
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||||
|
+ line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||||
|
path: {{{ openssl_cnf_path }}}
|
||||||
|
when:
|
||||||
|
- test_crypto_policy_group.stdout is defined
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||||
|
index 21edb780a2f..79eb5cff189 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||||
|
@@ -2,8 +2,8 @@
|
||||||
|
|
||||||
|
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
|
||||||
|
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
|
||||||
|
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
|
||||||
|
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
|
||||||
|
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
|
||||||
|
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
|
||||||
|
|
||||||
|
{{% if 'sle' in product %}}
|
||||||
|
{{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}}
|
@ -0,0 +1,29 @@
|
|||||||
|
From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Thu, 28 Jul 2022 15:08:15 +0200
|
||||||
|
Subject: [PATCH] Remove a confusing sentence
|
||||||
|
|
||||||
|
In the rule description, there are 2 conflicting sentences, they
|
||||||
|
both start by "By default ...", but they negate each other.
|
||||||
|
In fact, the second of them is true, so the first one could be
|
||||||
|
removed.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799
|
||||||
|
---
|
||||||
|
.../accounts-physical/require_singleuser_auth/rule.yml | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||||
|
index 932d76c36d9..332712ea1dd 100644
|
||||||
|
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||||
|
@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode'
|
||||||
|
description: |-
|
||||||
|
Single-user mode is intended as a system recovery
|
||||||
|
method, providing a single user root access to the system by
|
||||||
|
- providing a boot option at startup. By default, no authentication
|
||||||
|
- is performed if single-user mode is selected.
|
||||||
|
+ providing a boot option at startup.
|
||||||
|
<br /><br />
|
||||||
|
By default, single-user mode is protected by requiring a password and is set
|
||||||
|
in <tt>/usr/lib/systemd/system/rescue.service</tt>.
|
File diff suppressed because it is too large
Load Diff
@ -6,13 +6,20 @@
|
|||||||
|
|
||||||
Name: scap-security-guide
|
Name: scap-security-guide
|
||||||
Version: 0.1.63
|
Version: 0.1.63
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: Security guidance and baselines in SCAP formats
|
Summary: Security guidance and baselines in SCAP formats
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
URL: https://github.com/ComplianceAsCode/content/
|
URL: https://github.com/ComplianceAsCode/content/
|
||||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
|
Patch0: scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
|
||||||
|
Patch1: scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
|
||||||
|
Patch2: scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
|
||||||
|
Patch3: scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
|
||||||
|
Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
|
||||||
|
Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
|
||||||
|
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: expat
|
BuildRequires: expat
|
||||||
BuildRequires: openscap-scanner >= 1.2.5
|
BuildRequires: openscap-scanner >= 1.2.5
|
||||||
@ -98,6 +105,14 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
|
||||||
|
- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
|
||||||
|
- OSPP: update rules related to coredumps (RHBZ#2081688)
|
||||||
|
- OSPP: update rules related to BPF (RHBZ#2081728)
|
||||||
|
- fix description of require_singleuser_mode (RHBZ#2092799)
|
||||||
|
- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
|
||||||
|
- OSPP: use minimal Authselect profile(RHBZ#2114979)
|
||||||
|
|
||||||
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
||||||
- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
|
- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user