import scap-security-guide-0.1.54-5.el8

This commit is contained in:
CentOS Sources 2021-05-18 02:51:20 -04:00 committed by Andrew Lukoshko
parent 61c0c12b34
commit 34f8f34227
74 changed files with 25399 additions and 10158 deletions

3
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/scap-security-guide-0.1.50.tar.bz2 SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
SOURCES/scap-security-guide-0.1.54.tar.bz2

View File

@ -1 +1,2 @@
1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2 b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
9c53524d1f6741913b19394fad9216f25f3ae05d SOURCES/scap-security-guide-0.1.54.tar.bz2

View File

@ -1,24 +1,24 @@
From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com> From: Watson Sato <wsato@redhat.com>
Date: Fri, 17 Jan 2020 19:01:22 +0100 Date: Thu, 3 Dec 2020 14:35:47 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
They raise too many errors and fails.
Also disable tables for profiles that are not built.
--- ---
rhel8/CMakeLists.txt | 2 -- rhel8/CMakeLists.txt | 6 ------
rhel8/profiles/cjis.profile | 2 +- rhel8/profiles/anssi_bp28_high.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +- rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +- rhel8/profiles/ism_o.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +- rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/standard.profile | 2 +- rhel8/profiles/rhelh-vpp.profile | 2 +-
9 files changed, 8 insertions(+), 10 deletions(-) rhel8/profiles/rht-ccp.profile | 2 +-
rhel8/profiles/standard.profile | 2 +-
11 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index 40f2b2b0f..492a8dae1 100644 index d61689c97..5e444a101 100644
--- a/rhel8/CMakeLists.txt --- a/rhel8/CMakeLists.txt
+++ b/rhel8/CMakeLists.txt +++ b/rhel8/CMakeLists.txt
@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") @@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi") ssg_build_html_table_by_ref(${PRODUCT} "anssi")
@ -26,18 +26,44 @@ index 40f2b2b0f..492a8dae1 100644
ssg_build_html_nistrefs_table(${PRODUCT} "ospp") ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
ssg_build_html_nistrefs_table(${PRODUCT} "stig") ssg_build_html_nistrefs_table(${PRODUCT} "stig")
# Uncomment when anssi profiles are marked documentation_complete: true -ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
#ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") -ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
-
ssg_build_html_cce_table(${PRODUCT})
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index ccad93d67..6a854378c 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'ANSSI BP-028 (high)'
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index 05ea9cdd6..9c55ac5b1 100644 index 035d2705b..c6475f33e 100644
--- a/rhel8/profiles/cjis.profile --- a/rhel8/profiles/cjis.profile
+++ b/rhel8/profiles/cjis.profile +++ b/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
-documentation_complete: true -documentation_complete: true
+documentation_complete: false +documentation_complete: false
title: 'Criminal Justice Information Services (CJIS) Security Policy' metadata:
version: 5.4
diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
index a3c427c01..4605dea3b 100644
--- a/rhel8/profiles/ism_o.profile
+++ b/rhel8/profiles/ism_o.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
metadata:
SMEs:
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644 index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile --- a/rhel8/profiles/rhelh-stig.profile
@ -79,5 +105,5 @@ index a63ae2cf3..da669bb84 100644
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
-- --
2.21.1 2.26.2

View File

@ -0,0 +1,187 @@
From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 17 Feb 2021 15:36:59 +0100
Subject: [PATCH] Remove kickstart for profile not shipped
RHEL-8 ANSSI high is not shipped at the momment
---
.../ssg-rhel8-anssi_bp28_high-ks.cfg | 167 ------------------
1 file changed, 167 deletions(-)
delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
deleted file mode 100644
index b5c09253a..000000000
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ /dev/null
@@ -1,167 +0,0 @@
-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
-# Version: 0.0.1
-# Date: 2020-12-10
-#
-# Based on:
-# https://pykickstart.readthedocs.io/en/latest/
-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-
-# Specify installation method to use for installation
-# To use a different one comment out the 'url' one below, update
-# the selected choice with proper options & un-comment it
-#
-# Install from an installation tree on a remote server via FTP or HTTP:
-# --url the URL to install from
-#
-# Example:
-#
-# url --url=http://192.168.122.1/image
-#
-# Modify concrete URL in the above example appropriately to reflect the actual
-# environment machine is to be installed in
-#
-# Other possible / supported installation methods:
-# * install from the first CD-ROM/DVD drive on the system:
-#
-# cdrom
-#
-# * install from a directory of ISO images on a local drive:
-#
-# harddrive --partition=hdb2 --dir=/tmp/install-tree
-#
-# * install from provided NFS server:
-#
-# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
-#
-# Set language to use during installation and the default language to use on the installed system (required)
-lang en_US.UTF-8
-
-# Set system keyboard type / layout (required)
-keyboard us
-
-# Configure network information for target system and activate network devices in the installer environment (optional)
-# --onboot enable device at a boot time
-# --device device to be activated and / or configured with the network command
-# --bootproto method to obtain networking configuration for device (default dhcp)
-# --noipv6 disable IPv6 on this device
-#
-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
-# "--bootproto=static" must be used. For example:
-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
-#
-network --onboot yes --bootproto dhcp --noipv6
-
-# Set the system's root password (required)
-# Plaintext password is: server
-# Refer to e.g.
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-# to see how to create encrypted password form for different plaintext password
-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-
-# The selected profile will restrict root login
-# Add a user that can login and escalate privileges
-# Plaintext password is: admin123
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-
-# Configure firewall settings for the system (optional)
-# --enabled reject incoming connections that are not in response to outbound requests
-# --ssh allow sshd service through the firewall
-firewall --enabled --ssh
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
-# Set the system time zone (required)
-timezone --utc America/New_York
-
-# Specify how the bootloader should be installed (required)
-# Plaintext password is: password
-# Refer to e.g.
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
-# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
-
-# Initialize (format) all disks (optional)
-zerombr
-
-# The following partition layout scheme assumes disk of size 20GB or larger
-# Modify size of partitions appropriately to reflect actual machine's hardware
-#
-# Remove Linux partitions from the system prior to creating new ones (optional)
-# --linux erase all Linux partitions
-# --initlabel initialize the disk label to the default based on the underlying architecture
-clearpart --linux --initlabel
-
-# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
-part pv.01 --grow --size=1
-
-# Create a Logical Volume Management (LVM) group (optional)
-volgroup VolGroup --pesize=4096 pv.01
-
-# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
-# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
-# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-# Ensure /tmp Located On Separate Partition
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var/tmp Located On Separate Partition
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-# Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var/log/audit Located On Separate Partition
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-logvol swap --name=swap --vgname=VolGroup --size=2016
-
-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
-# content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
-# functionality will automatically be installed. However, by default, no policies are enforced,
-# meaning that no checks are performed during or after installation unless specifically configured.
-#
-# Important
-# Applying a security policy is not necessary on all systems. This screen should only be used
-# when a specific policy is mandated by your organization rules or government regulations.
-# Unlike most other commands, this add-on does not accept regular options, but uses key-value
-# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
-# Values can be optionally enclosed in single quotes (') or double quotes (").
-#
-# The following keys are recognized by the add-on:
-# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
-# - If the content-type is scap-security-guide, the add-on will use content provided by the
-# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
-# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
-# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
-# xccdf-id - ID of the benchmark you want to use.
-# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
-# profile - ID of the profile to be applied. Use default to apply the default profile.
-# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
-# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
-#
-# The following is an example %addon org_fedora_oscap section which uses content from the
-# scap-security-guide on the installation media:
-%addon org_fedora_oscap
- content-type = scap-security-guide
- profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
-%end
-
-# Packages selection (%packages section is required)
-%packages
-
-# Require @Base
-@Base
-
-%end # End of %packages section
-
-# Reboot after the installation is complete (optional)
-# --eject attempt to eject CD or DVD media before rebooting
-reboot --eject
--
2.26.2

View File

@ -1,737 +0,0 @@
From 3aae2f86f3d75b8bd931922152b9a6175ed18a6b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 22:27:47 +0200
Subject: [PATCH 1/5] Add check for zipl installed
Based and valid in RHEL, where zipl is part of s390utils-base.
---
rhel8/cpe/rhel8-cpe-dictionary.xml | 4 ++
.../oval/installed_env_has_zipl_package.xml | 37 +++++++++++++++++++
ssg/constants.py | 1 +
3 files changed, 42 insertions(+)
create mode 100644 shared/checks/oval/installed_env_has_zipl_package.xml
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index 694cbb5a4e..cccb3c5791 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -67,4 +67,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/shared/checks/oval/installed_env_has_zipl_package.xml b/shared/checks/oval/installed_env_has_zipl_package.xml
new file mode 100644
index 0000000000..ab6545669d
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_zipl_package.xml
@@ -0,0 +1,37 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_env_has_zipl_package" version="1">
+ <metadata>
+ <title>System uses zIPL</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Checks if system uses zIPL bootloader.</description>
+ <reference ref_id="cpe:/a:zipl" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package s390utils-base is installed" test_ref="test_env_has_zipl_installed" />
+ </criteria>
+ </definition>
+
+{{% if pkg_system == "rpm" %}}
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+ id="test_env_has_zipl_installed" version="1"
+ comment="system has package zipl installed">
+ <linux:object object_ref="obj_env_has_zipl_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_zipl_installed" version="1">
+ <linux:name>s390utils-base</linux:name>
+ </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+ <linux:dpkginfo_test check="all" check_existence="all_exist"
+ id="test_env_has_zipl_installed" version="1"
+ comment="system has package zipl installed">
+ <linux:object object_ref="obj_env_has_zipl_installed" />
+ </linux:dpkginfo_test>
+ <linux:dpkginfo_object id="obj_env_has_zipl_installed" version="1">
+ <linux:name>s390utils-base</linux:name>
+ </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index fb20fe8107..f03aa87f09 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -506,6 +506,7 @@
"sssd": "cpe:/a:sssd",
"systemd": "cpe:/a:systemd",
"yum": "cpe:/a:yum",
+ "zipl": "cpe:/a:zipl",
}
# _version_name_map = {
From c70bdc89bf193f2fdf59cb8c3f06672fc43a0505 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 22:33:07 +0200
Subject: [PATCH 2/5] Set zipl and machine platforms for zipl content
Add zipl platform to bootloader-zipl and machine platform to all zipl
rules.
Final applicability of zipl rules is equivalent to "machine and zipl"
CPE platform.
---
linux_os/guide/system/bootloader-zipl/group.yml | 2 +-
.../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 ++
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 ++
.../guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml | 2 ++
.../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 ++
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 2 ++
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 ++
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 ++
8 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
index 36da84530c..64c6c8dffb 100644
--- a/linux_os/guide/system/bootloader-zipl/group.yml
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -8,4 +8,4 @@ description: |-
options to it.
The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
-platform: machine
+platform: zipl
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 16c0b3f89a..2d31ef8ee7 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -38,3 +38,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 47a532d50f..40db232257 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 5aa91c16aa..8d28d5495f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -35,3 +35,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 8546325752..0a8e9a41e2 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index eaef25ce40..20c1448cc8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -38,3 +38,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 68e91a92d6..54ac688ea0 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 9624b43349..c5979a2016 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -36,3 +36,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
From 02f961ecbe8bcafab72f544c2bc0f9141b9fa8fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 23:02:44 +0200
Subject: [PATCH 3/5] Add check for grub2 installed
Apply new CPE grub2 to bootloader-grub2 group.
---
.../file_groupowner_efi_grub2_cfg/rule.yml | 2 +
.../file_groupowner_grub2_cfg/rule.yml | 2 +
.../file_owner_efi_grub2_cfg/rule.yml | 2 +
.../file_owner_grub2_cfg/rule.yml | 2 +
.../guide/system/bootloader-grub2/group.yml | 2 +-
.../grub2_admin_username/rule.yml | 2 +
.../grub2_enable_iommu_force/rule.yml | 2 +
.../grub2_no_removeable_media/rule.yml | 2 +
.../bootloader-grub2/grub2_password/rule.yml | 2 +
.../grub2_uefi_admin_username/rule.yml | 2 +
.../grub2_uefi_password/rule.yml | 2 +
.../uefi_no_removeable_media/rule.yml | 2 +
.../oval/installed_env_has_grub2_package.xml | 37 +++++++++++++++++++
ssg/constants.py | 1 +
14 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 shared/checks/oval/installed_env_has_grub2_package.xml
diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
index b5b583bd28..a6ac6f7b6b 100644
--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
@@ -51,6 +51,8 @@ ocil: |-
{{{ ocil_file_group_owner(file="/boot/efi/EFI/redhat/grub.cfg", group="root") }}}
{{%- endif %}}
+platform: machine
+
template:
name: file_groupowner
vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
index 9d89ff5755..93dbf5222d 100644
--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
@@ -39,6 +39,8 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/grub2/grub.cfg", grou
ocil: '{{{ ocil_file_group_owner(file="/boot/grub2/grub.cfg", group="root") }}}'
+platform: machine
+
template:
name: file_groupowner
vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
index ed17987478..e2c118cf0a 100644
--- a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
@@ -49,6 +49,8 @@ ocil: |-
{{{ ocil_file_owner(file="/boot/efi/EFI/redhat/grub.cfg", owner="root") }}}
{{%- endif %}}
+platform: machine
+
template:
name: file_owner
vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
index 9ce4c3d60b..5086553921 100644
--- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
@@ -37,6 +37,8 @@ ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/grub2/grub.cfg", owner="roo
ocil: '{{{ ocil_file_owner(file="/boot/grub2/grub.cfg", owner="root") }}}'
+platform: machine
+
template:
name: file_owner
vars:
diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml
index 69489bc0c2..4ffb40c0e8 100644
--- a/linux_os/guide/system/bootloader-grub2/group.yml
+++ b/linux_os/guide/system/bootloader-grub2/group.yml
@@ -15,4 +15,4 @@ description: |-
with a password and ensure its configuration file's permissions
are set properly.
-platform: machine
+platform: grub2
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
index 63a6a7a83c..15db01a75f 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
@@ -68,3 +68,5 @@ warnings:
Also, do NOT manually add the superuser account and password to the
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index baade9c13e..d4f455e66a 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -17,3 +17,5 @@ identifiers:
references:
anssi: NT28(R11)
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
index 113726d34f..c8956c2f34 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
@@ -37,3 +37,5 @@ ocil: |-
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
media which should not exist in the line:
<pre>set root='hd0,msdos1'</pre>
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
index 985b8727d7..b6e9774608 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
@@ -72,3 +72,5 @@ warnings:
Also, do NOT manually add the superuser account and password to the
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
index 1926837db7..5abd86b9d9 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
@@ -75,3 +75,5 @@ warnings:
Also, do NOT manually add the superuser account and password to the
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
index 3ce5a2df13..3114d2d27c 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -73,3 +73,5 @@ warnings:
Also, do NOT manually add the superuser account and password to the
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
index c94185f3f4..5de05c057a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
@@ -35,3 +35,5 @@ ocil: |-
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
media which should not exist in the line:
<pre>set root='hd0,msdos1'</pre>
+
+platform: machine
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
new file mode 100644
index 0000000000..e83f45bc3b
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -0,0 +1,37 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_env_has_grub2_package" version="1">
+ <metadata>
+ <title>Package grub2 is installed</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Checks if package grub2-pc is installed.</description>
+ <reference ref_id="cpe:/a:grub2" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
+ </criteria>
+ </definition>
+
+{{% if pkg_system == "rpm" %}}
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+ id="test_env_has_grub2_installed" version="1"
+ comment="system has package grub2-pc installed">
+ <linux:object object_ref="obj_env_has_grub2_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
+ <linux:name>grub2-pc</linux:name>
+ </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+ <linux:dpkginfo_test check="all" check_existence="all_exist"
+ id="test_env_has_grub2_installed" version="1"
+ comment="system has package grub2-pc installed">
+ <linux:object object_ref="obj_env_has_grub2_installed" />
+ </linux:dpkginfo_test>
+ <linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
+ <linux:name>grub2-pc</linux:name>
+ </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index f03aa87f09..318763b219 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -498,6 +498,7 @@
"container": "cpe:/a:container",
"chrony": "cpe:/a:chrony",
"gdm": "cpe:/a:gdm",
+ "grub2": "cpe:/a:grub2",
"libuser": "cpe:/a:libuser",
"nss-pam-ldapd": "cpe:/a:nss-pam-ldapd",
"ntp": "cpe:/a:ntp",
From 8bb44ebe9c32b7916a7291b1fa5735b381494cfb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 16:58:14 +0200
Subject: [PATCH 4/5] Move grub2_disable_interactive_boot to grub2 platform
It should have both platforms machine and grub2.
But as the parent group is very broad, I cannot put parent group as
machine.
As a side effect this change makes this rules applicable in containers.
---
.../accounts-physical/grub2_disable_interactive_boot/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
index 3080470aa8..44ea1aa49a 100644
--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
@@ -48,4 +48,4 @@ ocil: |-
Presence of a <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> indicates
that interactive boot is enabled at boot time.
-platform: machine
+platform: grub2
From 17ba5bc9ecc955911b7a3ab30bcd221283472b3f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 23:20:18 +0200
Subject: [PATCH 5/5] Update CPE Dictionaries
Again, whenever a package CPE is added, all CPE dictionaries need to be
updated.
Because the project doesn't share CPEs among the products.
---
debian10/cpe/debian10-cpe-dictionary.xml | 5 +++++
debian8/cpe/debian8-cpe-dictionary.xml | 5 +++++
debian9/cpe/debian9-cpe-dictionary.xml | 5 +++++
fedora/cpe/fedora-cpe-dictionary.xml | 5 +++++
ol7/cpe/ol7-cpe-dictionary.xml | 5 +++++
ol8/cpe/ol8-cpe-dictionary.xml | 5 +++++
opensuse/cpe/opensuse-cpe-dictionary.xml | 5 +++++
rhel7/cpe/rhel7-cpe-dictionary.xml | 5 +++++
rhel8/cpe/rhel8-cpe-dictionary.xml | 5 +++++
rhv4/cpe/rhv4-cpe-dictionary.xml | 5 +++++
sle11/cpe/sle11-cpe-dictionary.xml | 5 +++++
sle12/cpe/sle12-cpe-dictionary.xml | 5 +++++
sle15/cpe/sle15-cpe-dictionary.xml | 5 +++++
ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 5 +++++
ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 5 +++++
ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 5 +++++
wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 5 +++++
wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 5 +++++
18 files changed, 90 insertions(+)
diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
index 5cc27ceb79..f2dbd09cfc 100644
--- a/debian10/cpe/debian10-cpe-dictionary.xml
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
index 38d490138a..f385709052 100644
--- a/debian8/cpe/debian8-cpe-dictionary.xml
+++ b/debian8/cpe/debian8-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
index f01770b044..bc90a12bae 100644
--- a/debian9/cpe/debian9-cpe-dictionary.xml
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
index 2964e320c2..ff7cebc322 100644
--- a/fedora/cpe/fedora-cpe-dictionary.xml
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
@@ -62,6 +62,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
index c153272121..613f853a6d 100644
--- a/ol7/cpe/ol7-cpe-dictionary.xml
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
index 3fd74e53ca..912fe01346 100644
--- a/ol8/cpe/ol8-cpe-dictionary.xml
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
index 1ab4e85ea8..7f485b800e 100644
--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
+++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
@@ -42,6 +42,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index a5214e36f0..f232b7ed29 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -57,6 +57,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index cccb3c5791..eab827291f 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
index ce9b06dcae..db1b4b239b 100644
--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
index c732ecb48a..1b6b3e2518 100644
--- a/sle11/cpe/sle11-cpe-dictionary.xml
+++ b/sle11/cpe/sle11-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
index 79daa31412..b1b66e1294 100644
--- a/sle12/cpe/sle12-cpe-dictionary.xml
+++ b/sle12/cpe/sle12-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle15/cpe/sle15-cpe-dictionary.xml b/sle15/cpe/sle15-cpe-dictionary.xml
index 91d3d78b19..0ee5a1b817 100644
--- a/sle15/cpe/sle15-cpe-dictionary.xml
+++ b/sle15/cpe/sle15-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
index df5abff723..7f3ce4271b 100644
--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
index 6269344376..83f0c8c516 100644
--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
index ccb285768e..77b78d74ec 100644
--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
index 73e419c9ab..cc4e806a4d 100644
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
@@ -26,6 +26,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
index 8449ea1416..824c575a6a 100644
--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
@@ -26,6 +26,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->

View File

@ -1,595 +0,0 @@
From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 25 May 2020 14:33:06 +0200
Subject: [PATCH 1/5] Add zIPL bootloader group
---
linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
new file mode 100644
index 0000000000..36da84530c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'zIPL bootloader configuration'
+
+description: |-
+ During the boot process, the bootloader is
+ responsible for starting the execution of the kernel and passing
+ options to it.
+ The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
+
+platform: machine
From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 25 May 2020 15:26:19 +0200
Subject: [PATCH 2/5] Add zIPL rule for early audit capability
---
.../zipl_audit_argument/rule.yml | 40 +++++++++++++++++++
1 file changed, 40 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
new file mode 100644
index 0000000000..ce2bd60c59
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
+
+description: |-
+ To ensure all processes can be audited, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to enable audit,
+ add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Each process on the system carries an "auditable" flag which indicates whether
+ its activities can be audited. Although <tt>auditd</tt> takes care of enabling
+ this for all processes which launch after it does, adding the kernel argument
+ ensures it is set for every process during boot.
+
+severity: medium
+
+ocil_clause: 'auditing is not enabled at boot time'
+
+ocil: |-
+ To check that audit is enabled at boot time, check all boot entries with following command:
+ <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 26 May 2020 15:06:12 +0200
Subject: [PATCH 3/5] Add few more zIPL kernel option rules
Add rules for following options:
- audit_backlog_limit
- selinux
- audit_backlog_limit
- enable_selinux
- page_poison
- pti
- slub_debug
- vsyscall
---
.../rule.yml | 41 +++++++++++++++++++
.../zipl_enable_selinux/rule.yml | 37 +++++++++++++++++
.../zipl_page_poison_argument/rule.yml | 41 +++++++++++++++++++
.../zipl_pti_argument/rule.yml | 40 ++++++++++++++++++
.../zipl_slub_debug_argument/rule.yml | 41 +++++++++++++++++++
.../zipl_vsyscall_argument/rule.yml | 41 +++++++++++++++++++
6 files changed, 241 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
new file mode 100644
index 0000000000..08c5b53207
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
+
+description: |-
+ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ audit_backlog_limit sets the queue length for audit events awaiting transfer
+ to the audit daemon. Until the audit daemon is up and running, all log messages
+ are stored in this queue. If the queue is overrun during boot process, the action
+ defined by audit failure flag is taken.
+
+severity: medium
+
+ocil_clause: 'audit backlog limit is not configured'
+
+ocil: |-
+ To check that all boot entries extend the backlog limit;
+ Check that all boot entries extend the log events queue:
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
new file mode 100644
index 0000000000..e7a455b90c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -0,0 +1,37 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure SELinux Not Disabled in zIPL'
+
+description: |-
+ To ensure SELinux is not disabled at boot time,
+ check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+rationale: |-
+ Disabling a major host protection feature, such as SELinux, at boot time prevents
+ it from confining system services at boot time. Further, it increases
+ the chances that it will remain off during system operation.
+
+severity: medium
+
+ocil_clause: 'SELinux is disabled at boot time'
+
+ocil: |-
+ To check that selinux is not disabled at boot time;
+ Check that no boot entry disables selinux:
+ <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that disables SELinux.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
new file mode 100644
index 0000000000..b8a2eecee6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable page allocator poisoning in zIPL'
+
+description: |-
+ To enable poisoning of free pages,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to enable page poisoning,
+ add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Poisoning writes an arbitrary value to freed pages, so any modification or
+ reference to that page after being freed or before being initialized will be
+ detected and prevented.
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
+ Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'page allocator poisoning is not enabled'
+
+ocil: |-
+ To check that page poisoning is enabled at boot time, check all boot entries with following command:
+ <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
new file mode 100644
index 0000000000..4757871a5f
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
+
+description: |-
+ To enable Kernel page-table isolation,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to enable page-table isolation,
+ add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Kernel page-table isolation is a kernel feature that mitigates
+ the Meltdown security vulnerability and hardens the kernel
+ against attempts to bypass kernel address space layout
+ randomization (KASLR).
+
+severity: medium
+
+ocil_clause: 'Kernel page-table isolation is not enabled'
+
+ocil: |-
+ To check that page-table isolation is enabled at boot time, check all boot entries with following command:
+ <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
new file mode 100644
index 0000000000..166dd41afd
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
+
+description: |-
+ To enable poisoning of SLUB/SLAB objects,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Poisoning writes an arbitrary value to freed objects, so any modification or
+ reference to that object after being freed or before being initialized will be
+ detected and prevented.
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
+ Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+
+ocil: |-
+ To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;
+ <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not enable poisoning.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
new file mode 100644
index 0000000000..6b95d16fb8
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Disable vsyscalls in zIPL'
+
+description: |-
+ To disable use of virtual syscalls,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to disable virtual syscalls,
+ add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Poisoning writes an arbitrary value to freed pages, so any modification or
+ reference to that page after being freed or before being initialized will be
+ detected and prevented.
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
+ Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'vsyscalls are enabled'
+
+ocil: |-
+ To check that virtual syscalls are disabled at boot time, check all boot entries with following command:
+ <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Jun 2020 13:29:39 +0200
Subject: [PATCH 4/5] Fix formatting of zIPL rules
<pre> is renderend in a separate line, while <tt> is rendered inline.
Add line breaks for better readability.
---
.../bootloader-zipl/zipl_audit_argument/rule.yml | 10 +++++-----
.../zipl_audit_backlog_limit_argument/rule.yml | 10 +++++-----
.../bootloader-zipl/zipl_enable_selinux/rule.yml | 8 ++++----
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
.../system/bootloader-zipl/zipl_pti_argument/rule.yml | 10 +++++-----
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 10 +++++-----
.../bootloader-zipl/zipl_vsyscall_argument/rule.yml | 10 +++++-----
7 files changed, 34 insertions(+), 34 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index ce2bd60c59..16c0b3f89a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
description: |-
To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable audit,
- add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Each process on the system carries an "auditable" flag which indicates whether
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 08c5b53207..47a532d50f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
- add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
audit_backlog_limit sets the queue length for audit events awaiting transfer
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index e7a455b90c..5aa91c16aa 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL'
description: |-
To ensure SELinux is not disabled at boot time,
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
rationale: |-
Disabling a major host protection feature, such as SELinux, at boot time prevents
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index b8a2eecee6..8546325752 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL'
description: |-
To enable poisoning of free pages,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
To ensure that new kernels and boot entries continue to enable page poisoning,
- add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Poisoning writes an arbitrary value to freed pages, so any modification or
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 4757871a5f..eaef25ce40 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
description: |-
To enable Kernel page-table isolation,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable page-table isolation,
- add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Kernel page-table isolation is a kernel feature that mitigates
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 166dd41afd..68e91a92d6 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
- add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Poisoning writes an arbitrary value to freed objects, so any modification or
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 6b95d16fb8..8d39337f9e 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL'
description: |-
To disable use of virtual syscalls,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to disable virtual syscalls,
- add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Poisoning writes an arbitrary value to freed pages, so any modification or
From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 13:08:07 +0200
Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale
copy-pasta error
---
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 8d39337f9e..9624b43349 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -16,11 +16,8 @@ description: |-
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
- Poisoning writes an arbitrary value to freed pages, so any modification or
- reference to that page after being freed or before being initialized will be
- detected and prevented.
- This prevents many types of use-after-free vulnerabilities at little performance cost.
- Also prevents leak of data and detection of corrupted memory.
+ Virtual Syscalls provide an opportunity of attack for a user who has control
+ of the return instruction pointer.
severity: medium

View File

@ -1,71 +0,0 @@
From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 08:17:20 +0200
Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
---
.../ansible/shared.yml | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
new file mode 100644
index 0000000000..5d76b3c073
--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
@@ -0,0 +1,33 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: Configure daily log rotation in /etc/logrotate.conf
+ lineinfile:
+ create: yes
+ dest: "/etc/logrotate.conf"
+ regexp: "^daily$"
+ line: "daily"
+
+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
+ lineinfile:
+ create: no
+ dest: "/etc/logrotate.conf"
+ regexp: "^(weekly|monthly|yearly)$"
+ state: absent
+
+- name: Configure cron.daily if not already
+ block:
+ - name: Add shebang
+ lineinfile:
+ path: "/etc/cron.daily/logrotate"
+ line: "#!/bin/sh"
+ insertbefore: BOF
+ create: yes
+ - name: Add logrotate call
+ lineinfile:
+ path: "/etc/cron.daily/logrotate"
+ line: '/usr/sbin/logrotate /etc/logrotate.conf'
+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 14:48:15 +0200
Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
Test scenario when monthly is there, but weekly is not.
---
.../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
new file mode 100644
index 0000000000..b10362989b
--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed -i "s/weekly/daily/g" /etc/logrotate.conf
+echo "monthly" >> /etc/logrotate.conf

View File

@ -1,115 +0,0 @@
From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 May 2020 20:49:08 +0200
Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
---
.../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
2 files changed, 22 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..a816eea390
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
+ else
+ echo "MaxSessions 4" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..b36125f5bb
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
+ else
+ echo "MaxSessions 10" >> $SSHD_CONFIG
+fi
From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 May 2020 20:53:50 +0200
Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
---
.../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
.../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
.../tests/correct_value.pass.sh | 2 +-
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
4 files changed, 22 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
new file mode 100644
index 0000000000..a7e171dfe9
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+- (xccdf-var var_sshd_max_sessions)
+
+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
new file mode 100644
index 0000000000..fc0a1d8b42
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_sshd_max_sessions
+
+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
index a816eea390..4cc6d65988 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q "^MaxSessions" $SSHD_CONFIG; then
sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
else
- echo "MaxSessions 4" >> $SSHD_CONFIG
+ echo "MaxSessions 4" >> $SSHD_CONFIG
fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
index b36125f5bb..bc0c47842a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q "^MaxSessions" $SSHD_CONFIG; then
sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
else
- echo "MaxSessions 10" >> $SSHD_CONFIG
+ echo "MaxSessions 10" >> $SSHD_CONFIG
fi

View File

@ -1,147 +0,0 @@
From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 11:52:35 +0200
Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
Very likey a copy-pasta error from bash remediation for
audit_rules_immutable
---
.../audit_rules_system_shutdown/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
index 1c9748ce9b..b56513cdcd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
@@ -8,7 +8,7 @@
# files to check if '-f .*' setting is present in that '*.rules' file already.
# If found, delete such occurrence since auditctl(8) manual page instructs the
# '-f 2' rule should be placed as the last rule in the configuration
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
# Append '-f 2' requirement at the end of both:
# * /etc/audit/audit.rules file (for auditctl case)
From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 12:12:21 +0200
Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
Along with very basic test scenarios
---
.../ansible/shared.yml | 28 +++++++++++++++++++
.../tests/augen_correct.pass.sh | 4 +++
.../tests/augen_e_2_immutable.fail.sh | 3 ++
3 files changed, 35 insertions(+)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
new file mode 100644
index 0000000000..b9e8fa87fa
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
@@ -0,0 +1,28 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Collect all files from /etc/audit/rules.d with .rules extension
+ find:
+ paths: "/etc/audit/rules.d/"
+ patterns: "*.rules"
+ register: find_rules_d
+
+- name: Remove the -f option from all Audit config files
+ lineinfile:
+ path: "{{ item }}"
+ regexp: '^\s*(?:-f)\s+.*$'
+ state: absent
+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
+
+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+ lineinfile:
+ path: "{{ item }}"
+ create: True
+ line: "-f 2"
+ loop:
+ - "/etc/audit/audit.rules"
+ - "/etc/audit/rules.d/immutable.rules"
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
new file mode 100644
index 0000000000..0587b937e0
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
+echo "-f 2" >> /etc/audit/rules.d/immutable.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
new file mode 100644
index 0000000000..fa5b7231df
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 14:06:08 +0200
Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
---
.../audit_rules_immutable/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
index 5ac7b3dabb..1cafb744cc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
@@ -17,7 +17,7 @@
state: absent
loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
lineinfile:
path: "{{ item }}"
create: True
From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 19 May 2020 11:02:56 +0200
Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
---
.../audit_rules_system_shutdown/bash/shared.sh | 8 --------
1 file changed, 8 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
index b56513cdcd..a349bb1ca1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
@@ -4,16 +4,8 @@
#
# /etc/audit/audit.rules, (for auditctl case)
# /etc/audit/rules.d/*.rules (for augenrules case)
-#
-# files to check if '-f .*' setting is present in that '*.rules' file already.
-# If found, delete such occurrence since auditctl(8) manual page instructs the
-# '-f 2' rule should be placed as the last rule in the configuration
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
-# Append '-f 2' requirement at the end of both:
-# * /etc/audit/audit.rules file (for auditctl case)
-# * /etc/audit/rules.d/immutable.rules (for augenrules case)
-
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
do
echo '' >> $AUDIT_FILE

View File

@ -1,49 +0,0 @@
From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 21 May 2020 18:16:43 +0200
Subject: [PATCH] Attribute content to CIS
And update the description a bit.
---
rhel7/profiles/cis.profile | 8 +++++---
rhel8/profiles/cis.profile | 8 +++++---
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 0826a49547..829c388133 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -3,9 +3,11 @@ documentation_complete: true
title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
description: |-
- This baseline aligns to the Center for Internet Security
- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
- 12-27-2017.
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
selections:
# Necessary for dconf rules
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
index f332ee5462..868b9f21a6 100644
--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
@@ -3,9 +3,11 @@ documentation_complete: true
title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
description: |-
- This baseline aligns to the Center for Internet Security
- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
- 09-30-2019.
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
selections:
# Necessary for dconf rules

View File

@ -1,274 +0,0 @@
From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 25 May 2020 12:17:48 +0200
Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
---
rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
2 files changed, 250 insertions(+)
create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
new file mode 100644
index 0000000000..14c82c4231
--- /dev/null
+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
+# Version: 0.0.1
+# Date: 2020-05-25
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow enable shadowed passwords by default
+# --passalgo hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see command %addon org_fedora_oscap in
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
new file mode 100644
index 0000000000..861db36f18
--- /dev/null
+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2020-05-25
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

View File

@ -1,76 +0,0 @@
From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 22 May 2020 14:12:18 +0200
Subject: [PATCH] Add missing CCEs for RHEL8
---
.../password_storage/no_netrc_files/rule.yml | 1 +
.../accounts_user_interactive_home_directory_exists/rule.yml | 1 +
.../file_groupownership_home_directories/rule.yml | 1 +
shared/references/cce-redhat-avail.txt | 3 ---
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
index 8547893201..1bd1f5742e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel6: 27225-2
cce@rhel7: 80211-6
+ cce@rhel8: 83444-0
cce@ocp4: 82667-7
references:
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
index bedf3a0b19..e69bc9d736 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: 80529-1
+ cce@rhel8: 83424-2
references:
stigid@ol7: "020620"
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 1c5ac8d099..f931f6d160 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: 80532-5
+ cce@rhel8: 83434-1
references:
stigid@ol7: "020650"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 2f0d2a526b..45d03a2c1d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -95,7 +95,6 @@ CCE-83411-9
CCE-83421-8
CCE-83422-6
CCE-83423-4
-CCE-83424-2
CCE-83425-9
CCE-83426-7
CCE-83427-5
@@ -105,7 +104,6 @@ CCE-83430-9
CCE-83431-7
CCE-83432-5
CCE-83433-3
-CCE-83434-1
CCE-83435-8
CCE-83436-6
CCE-83437-4
@@ -115,7 +113,6 @@ CCE-83440-8
CCE-83441-6
CCE-83442-4
CCE-83443-2
-CCE-83444-0
CCE-83445-7
CCE-83446-5
CCE-83447-3

View File

@ -1,103 +0,0 @@
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 13:30:24 +0200
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
---
.../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
index e9a29a24d5..6fbb7c72a5 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
@@ -3,13 +3,9 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: Test for existence of /etc/securetty
- stat:
- path: /etc/securetty
- register: securetty_empty
+
- name: "Direct root Logins Not Allowed"
copy:
dest: /etc/securetty
content: ""
- when: securetty_empty.stat.size > 1
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:21:38 +0200
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
---
shared/templates/template_ANSIBLE_sebool | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
index 29f37081be..38d7c7c350 100644
--- a/shared/templates/template_ANSIBLE_sebool
+++ b/shared/templates/template_ANSIBLE_sebool
@@ -13,11 +13,17 @@
{{% else %}}
- (xccdf-var var_{{{ SEBOOLID }}})
+{{% if product == "rhel8" %}}
+- name: Ensure python3-libsemanage installed
+ package:
+ name: python3-libsemanage
+ state: present
+{{% else %}}
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
-
+{{% endif %}}
- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
seboolean:
name: {{{ SEBOOLID }}}
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:57:05 +0200
Subject: [PATCH 3/3] add tests for no_direct_root_logins
---
.../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
.../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
.../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
3 files changed, 9 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
new file mode 100644
index 0000000000..17251f6a98
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo > /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
new file mode 100644
index 0000000000..c764814b26
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
new file mode 100644
index 0000000000..43ac341e87
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "something" > /etc/securetty

View File

@ -1,308 +0,0 @@
From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 26 May 2020 17:49:21 +0200
Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
Affected rules:
- selinux_policytype
- selinux_state
---
.../selinux/selinux_policytype/ansible/shared.yml | 9 ++-------
.../selinux/selinux_policytype/bash/shared.sh | 5 +++--
.../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++
.../selinux/selinux_state/ansible/shared.yml | 9 ++-------
.../system/selinux/selinux_state/bash/shared.sh | 5 +++--
.../selinux_state/tests/selinux_missing.fail.sh | 5 +++++
.../tests/selinux_permissive.fail.sh | 10 ++++++++++
shared/macros-ansible.jinja | 11 +++++++++++
shared/macros-bash.jinja | 15 +++++++++++++++
9 files changed, 61 insertions(+), 18 deletions(-)
create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 5c70cc9f7f..9f8cf66dfb 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -3,11 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_selinux_policy_name)
-- name: "{{{ rule_title }}}"
- lineinfile:
- path: /etc/sysconfig/selinux
- regexp: '^SELINUXTYPE='
- line: "SELINUXTYPE={{ var_selinux_policy_name }}"
- create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index d0fbbf4446..2b5ce31b12 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,7 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-#
+
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
+
populate var_selinux_policy_name
-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
new file mode 100644
index 0000000000..1a6eb94953
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
+else
+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
+fi
diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
index b465ac6729..1c1560a86c 100644
--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
@@ -3,11 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_selinux_state)
-- name: "{{{ rule_title }}}"
- lineinfile:
- path: /etc/sysconfig/selinux
- regexp: '^SELINUX='
- line: "SELINUX={{ var_selinux_state }}"
- create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index 58193b5504..a402a861d7 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,10 +1,11 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
-#
+
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
+
populate var_selinux_state
-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
fixfiles onboot
fixfiles -f relabel
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
new file mode 100644
index 0000000000..180dd80791
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
new file mode 100644
index 0000000000..3db1e56b5f
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
+else
+ echo 'SELINUX=permissive' >> $SELINUX_FILE
+fi
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 6798a25d1f..01d3155b37 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
{{%- endmacro %}}
+{{#
+ High level macro to set a parameter in /etc/selinux/config.
+ Parameters:
+ - msg: the name for the Ansible task
+ - parameter: parameter to be set in the configuration file
+ - value: value of the parameter
+#}}
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
+
{{#
Generates an Ansible task that puts 'contents' into a file at 'filepath'
Parameters:
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 3a94fe5dd8..2531d1c52d 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -86,6 +86,21 @@ populate {{{ name }}}
}}}
{{%- endmacro -%}}
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
+{{{ set_config_file(
+ path="/etc/selinux/config",
+ parameter=parameter,
+ value=value,
+ create=true,
+ insert_after="",
+ insert_before="",
+ insensitive=true,
+ separator="=",
+ separator_regex="\s*=\s*",
+ prefix_regex="^\s*")
+ }}}
+{{%- endmacro -%}}
+
{{#
# Install a package
# Uses the right command based on pkg_manger proprerty defined in product.yaml.
From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 27 May 2020 18:48:57 +0200
Subject: [PATCH 2/2] Remediation requires reboot.
Update OVAL check to disallow spaces.
Removed selinuxtype_minimum test scenario since breaks the system.
---
.../selinux/selinux_policytype/ansible/shared.yml | 2 +-
.../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++
.../system/selinux/selinux_policytype/oval/shared.xml | 2 +-
.../tests/selinuxtype_minimum.fail.sh | 10 ----------
.../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++
.../guide/system/selinux/selinux_state/oval/shared.xml | 2 +-
shared/macros-ansible.jinja | 2 +-
shared/macros-bash.jinja | 4 ++--
8 files changed, 14 insertions(+), 16 deletions(-)
delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 9f8cf66dfb..73e6ec7cd4 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -1,5 +1,5 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
+# reboot = true
# strategy = restrict
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index 2b5ce31b12..b4f79c97f9 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,4 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
index f1840a1290..3d69fff07f 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
@@ -27,7 +27,7 @@
<ind:textfilecontent54_object id="obj_selinux_policy" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
+ <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
deleted file mode 100644
index 1a6eb94953..0000000000
--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
-
-SELINUX_FILE='/etc/selinux/config'
-
-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
-else
- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
-fi
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index a402a861d7..645a7acab4 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,4 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
index c0881696e1..8c328060af 100644
--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
@@ -18,7 +18,7 @@
<ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 01d3155b37..580a0b948e 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
- value: value of the parameter
#}}
{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
{{%- endmacro %}}
{{#
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 2531d1c52d..8abcc914d3 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -96,8 +96,8 @@ populate {{{ name }}}
insert_before="",
insensitive=true,
separator="=",
- separator_regex="\s*=\s*",
- prefix_regex="^\s*")
+ separator_regex="=",
+ prefix_regex="^")
}}}
{{%- endmacro -%}}

View File

@ -1,29 +0,0 @@
From c7d49a79cffdbfb2e1231077f665cbb940b50a98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 13 Jul 2020 17:52:35 +0200
Subject: [PATCH] Fix SCAPVAL error SRC-15
The CPE `cpe:/a:grub2` is used in `xccdf-1.2:platform` element
in group `bootloader-grub2`, but this CPE isn't defined in the
RHEL 6 CPE dictionary. All used CPEs should be defined in the
dictionary.
---
rhel6/cpe/rhel6-cpe-dictionary.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
index bca8986f7a..1b696b88d3 100644
--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
@@ -47,6 +47,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->

View File

@ -1,250 +0,0 @@
From d1b9040748605416220e09feb56fc5a6b6402f1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 7 Jul 2020 16:37:30 +0200
Subject: [PATCH] Add zipl to CPE dictionaries in all Linux products
The CPE platform `cpe:/a:zipl` has been set as a platform for XCCDF
group `bootloader-zipl` but the definition of the CPE was missing from
the CPE dictionary in some datastreams, for example fedora datastream.
This triggered error SRC-15 in NIST scapval tool.
---
debian10/cpe/debian10-cpe-dictionary.xml | 4 ++++
debian8/cpe/debian8-cpe-dictionary.xml | 4 ++++
debian9/cpe/debian9-cpe-dictionary.xml | 4 ++++
fedora/cpe/fedora-cpe-dictionary.xml | 4 ++++
ol7/cpe/ol7-cpe-dictionary.xml | 4 ++++
ol8/cpe/ol8-cpe-dictionary.xml | 4 ++++
opensuse/cpe/opensuse-cpe-dictionary.xml | 4 ++++
rhel6/cpe/rhel6-cpe-dictionary.xml | 4 ++++
rhel7/cpe/rhel7-cpe-dictionary.xml | 4 ++++
rhv4/cpe/rhv4-cpe-dictionary.xml | 4 ++++
sle11/cpe/sle11-cpe-dictionary.xml | 4 ++++
sle12/cpe/sle12-cpe-dictionary.xml | 4 ++++
ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 4 ++++
ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 4 ++++
ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 4 ++++
wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 4 ++++
wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 4 ++++
19 files changed, 76 insertions(+)
diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
index f2dbd09cfc..ddb68c34bd 100644
--- a/debian10/cpe/debian10-cpe-dictionary.xml
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
index f385709052..24bbca69cd 100644
--- a/debian8/cpe/debian8-cpe-dictionary.xml
+++ b/debian8/cpe/debian8-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
index bc90a12bae..d5595fd594 100644
--- a/debian9/cpe/debian9-cpe-dictionary.xml
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
index ff7cebc322..bef1337fc9 100644
--- a/fedora/cpe/fedora-cpe-dictionary.xml
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
@@ -107,4 +107,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
index 613f853a6d..5d4691aaf6 100644
--- a/ol7/cpe/ol7-cpe-dictionary.xml
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
index 912fe01346..35167b1f70 100644
--- a/ol8/cpe/ol8-cpe-dictionary.xml
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
@@ -67,4 +67,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
index 7f485b800e..6b95e46d3f 100644
--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
+++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
@@ -87,4 +87,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
index 2c8a82ebc5..bca8986f7a 100644
--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
@@ -87,4 +87,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index f232b7ed29..bc2aa869e8 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -102,4 +102,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
index db1b4b239b..02450d6efc 100644
--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
index 1b6b3e2518..b7cb4e1fd5 100644
--- a/sle11/cpe/sle11-cpe-dictionary.xml
+++ b/sle11/cpe/sle11-cpe-dictionary.xml
@@ -77,4 +77,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
index b1b66e1294..73cddd7740 100644
--- a/sle12/cpe/sle12-cpe-dictionary.xml
+++ b/sle12/cpe/sle12-cpe-dictionary.xml
@@ -77,4 +77,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
index 7f3ce4271b..3f5447741b 100644
--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
index 83f0c8c516..e3e842842b 100644
--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
index 77b78d74ec..897673c6f5 100644
--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
index cc4e806a4d..ef7e803505 100644
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
@@ -71,4 +71,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
index 824c575a6a..7184ebfd0b 100644
--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
@@ -71,4 +71,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>

View File

@ -1,40 +0,0 @@
From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 23:36:18 +0200
Subject: [PATCH] Ansible mount_option: split mount and option task
Separate task that adds mount options mounts the mountpoint into two tasks.
Conditioning the "mount" task on the absence of the target mount option
caused the task to always be skipped when mount option was alredy present,
and could result in the mount point not being mounted.
---
shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
index 95bede25f9..a0cf8d6b7a 100644
--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
@@ -26,14 +26,19 @@
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
+ set_fact:
+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
+ when:
+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
+
+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
mount:
path: "{{{ MOUNTPOINT }}}"
src: "{{ mount_info.source }}"
- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
+ opts: "{{ mount_info.options }}"
state: "mounted"
fstype: "{{ mount_info.fstype }}"
when:
- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
- device_name.stdout is defined
- (device_name.stdout | length > 0)

View File

@ -1,33 +0,0 @@
From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 14 May 2020 16:46:07 +0200
Subject: [PATCH] reorder groups because of permissions verification
---
ssg/build_yaml.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index e3e138283c..c9f3179c08 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -700,6 +700,11 @@ def to_xml_element(self):
# audit_rules_privileged_commands, othervise the rule
# does not catch newly installed screeen binary during remediation
# and report fail
+ # the software group should come before the
+ # bootloader-grub2 group because of conflict between
+ # rules rpm_verify_permissions and file_permissions_grub2_cfg
+ # specific rules concerning permissions should
+ # be applied after the general rpm_verify_permissions
# The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
# the firewalld_activation must come before ruleset_modifications, othervise
# remediations for ruleset_modifications won't work
@@ -707,6 +712,7 @@ def to_xml_element(self):
# otherwise the remediation prints error although it is successful
priority_order = [
"accounts", "auditing",
+ "software", "bootloader-grub2",
"fips", "crypto",
"firewalld_activation", "ruleset_modifications",
"disabling_ipv6", "configuring_ipv6"

View File

@ -1,171 +0,0 @@
From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 May 2020 01:20:53 +0200
Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
All paths in /etc/rsyslog.conf were taken as log files, but paths
in lines containing "include" or "$IncludeConfig" are config files.
Let's not take them in as log files
---
.../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a78cd69df2..c74f3da3f5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -87,8 +87,18 @@
-->
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their permissions don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 May 2020 00:16:37 +0200
Subject: [PATCH 2/4] Fix permissions of files referenced by include()
The remediation script also needs to parse the files included via
"include()".
The awk also takes into consideration the multiline aspect.
---
.../rsyslog_files_permissions/bash/shared.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 6cbf0c6a24..dca35301e7 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 15:53:58 +0200
Subject: [PATCH 3/4] Make regex for include file more strict
For some reason gensub in awk doesn't support non capturing group.
So the group with OR is capturing and we substitute everyting with the
second group, witch matches the file path.
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index dca35301e7..99d2d0e794 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 16:55:02 +0200
Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
These three files basically work the same way
---
.../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
.../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
.../rsyslog_files_permissions/oval/shared.xml | 4 ++--
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
index 5828f25321..9941e2b94f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
@@ -86,8 +86,18 @@
-->
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their groupownership don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
index 3c46eab6d6..29dd1a989e 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
@@ -83,8 +83,18 @@
-->
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_owner_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their owner don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index c74f3da3f5..da37a15b8c 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -87,10 +87,10 @@
-->
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- <filter action="exclude">state_ignore_include_paths</filter>
+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
<!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
include() or $IncludeConfig statements.
These paths are conf files, not log files. Their permissions don't need to be as

View File

@ -1,23 +0,0 @@
From 602e57d4c643be443110bbc772e6e5546b1a3cd3 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 26 Jun 2020 16:56:52 +0200
Subject: [PATCH] Update RHEL7 documentation link for
grub2_uefi_admin_username.
---
.../system/bootloader-grub2/grub2_uefi_admin_username/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
index 1926837db7..0c69e59553 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
@@ -28,7 +28,7 @@ rationale: |-
For more information on how to configure the grub2 superuser account and password,
please refer to
<ul>
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
+ <li>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-working_with_the_grub_2_boot_loader#sec-Protecting_GRUB_2_with_a_Password") }}}</li>.
</ul>
{{% endif %}}

View File

@ -1,375 +0,0 @@
From 62bf1be5a2f2789196a9b81ca7cd246d148dfb5b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 10:54:51 +0200
Subject: [PATCH 1/3] no_shelllogin_for_systemaccounts: add tests
---
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 4 ++++
.../tests/no_sys_uids.pass.sh | 7 +++++++
.../tests/only_system_users.pass.sh | 6 ++++++
.../tests/system_user_with_shell.fail.sh | 6 ++++++
4 files changed, 23 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
new file mode 100644
index 0000000000..6d48ad78fd
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
@@ -0,0 +1,4 @@
+# remediation = none
+
+#!/bin/bash
+true
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
new file mode 100644
index 0000000000..bc4f9cee8c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
@@ -0,0 +1,7 @@
+# remediation = none
+
+#!/bin/bash
+
+# Force unset of SYS_UID values
+sed -i '/^SYS_UID_MIN/d' /etc/login.defs
+sed -i '/^SYS_UID_MAX/d' /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
new file mode 100644
index 0000000000..0cdb820bbb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
@@ -0,0 +1,6 @@
+# remediation = none
+
+#!/bin/bash
+
+# remove any non-system user
+sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
new file mode 100644
index 0000000000..7639a8809d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
@@ -0,0 +1,6 @@
+# remediation = none
+
+#!/bin/bash
+
+# change system user "mail" shell to bash
+usermod --shell /bin/bash mail
From 403cf63228a838bb80e09d8a6750bc5ee8597ce4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 11:27:48 +0200
Subject: [PATCH 2/3] no_shelllogin_for_systemaccounts: simplify check for
range of UIDs
There is no need to make calculations on top of the UIDs, we can compare
the collected UIDs with shell againt the states that define the valid range.
Avoiding the calculations has the added benefit of not using/referencing
a variable that can be empty (when no user has shell, except root).
---
.../oval/shared.xml | 198 +++---------------
1 file changed, 33 insertions(+), 165 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
index 7e68441867..d0e836515b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
@@ -79,13 +79,6 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <!-- Extract UIDs from /etc/passwd entries into OVAL variable -->
- <local_variable id="variable_sys_uids_etc_passwd" datatype="int"
- comment="UIDs retrieved from /etc/passwd" version="1">
- <object_component item_field="subexpression"
- object_ref="object_etc_passwd_entries" />
- </local_variable>
-
<!-- FIRST CRITERION -->
<!-- If both SYS_UID_MIN and SYS_UID_MAX aren't defined in /etc/login.defs
perform the check that all /etc/passwd entries having shell defined have
@@ -100,63 +93,23 @@
</regex_capture>
</local_variable>
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <0, UID_MIN - 1> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold (x - 0) * (x - (UID_MIN -1)) range -->
- <local_variable id="variable_default_range_quad_expr" datatype="int"
- comment="Construct (x - 0) * (x - (UID_MIN - 1)) expression"
- version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <!-- (x - 0) = x => use just "x" value -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get (x - (UID_MIN -1)) result -->
- <arithmetic arithmetic_operation="add">
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get -1 * (UID_MIN - 1) result -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <!-- Get (UID_MIN -1) result -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_uid_min_value" />
- <literal_component datatype="int">-1</literal_component>
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_default_uid_range" version="1">
- <ind:var_ref>variable_default_range_quad_expr</ind:var_ref>
- </ind:variable_object>
-
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_default_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
-
<!-- Perform the default <0, UID_MIN - 1> UID range test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <0, UID_MIN -1> range -->
- <ind:variable_test id="test_shell_defined_default_uid_range" check="all"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_default_uid_range" check="all"
check_existence="all_exist" comment="&lt;0, UID_MIN - 1&gt; system UIDs having shell set"
version="1">
- <ind:object object_ref="object_shell_defined_default_uid_range" />
- <ind:state state_ref="state_shell_defined_default_uid_range" />
- </ind:variable_test>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_zero" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_uid_min" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_state id="state_uid_less_than_zero" version="1">
+ <ind:subexpression datatype="int" operation="less than">0</ind:subexpression>
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_uid_min_value" />
+ </ind:textfilecontent54_state>
<!-- Test if SYS_UID_MIN not defined in /etc/login.defs -->
<ind:textfilecontent54_test id="test_sys_uid_min_not_defined"
@@ -200,121 +153,36 @@
</regex_capture>
</local_variable>
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <0, SYS_UID_MIN> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold UIDs for reserved system accounts, thus
- UIDs from the range <0, SYS_UID_MIN> -->
- <local_variable id="variable_reserved_range_quad_expr" datatype="int"
- comment="Construct (x - 0) * (x - SYS_UID_MIN) expression"
- version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <!-- (x - 0) = x => use just "x" value -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Construct (x - SYS_UID_MIN) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MIN -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_min_value" />
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_reserved_uid_range" version="1">
- <ind:var_ref>variable_reserved_range_quad_expr</ind:var_ref>
- </ind:variable_object>
-
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_reserved_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
-
<!-- Perform the reserved UID range <0, SYS_UID_MIN> test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <0, SYS_UID_MIN> range -->
- <ind:variable_test id="test_shell_defined_reserved_uid_range" check="all"
- check_existence="all_exist" comment="&lt;0, SYS_UID_MIN&gt; system UIDs having shell set"
- version="1">
- <ind:object object_ref="object_shell_defined_reserved_uid_range" />
- <ind:state state_ref="state_shell_defined_reserved_uid_range" />
- </ind:variable_test>
-
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
- https://github.com/OpenSCAP/openscap/issues/428
-
- Within the test below we will check if all /etc/passwd entries
- having shell defined have UIDs outside of <SYS_UID_MIN, SYS_UID_MAX> range.
- If at least one UID is within the range, test will fail.
-
- Observation: Number "x" is outside of <a, b> range if the following
- inequality is met (x - a) * (x - b) > 0
- -->
-
- <!-- OVAL variable to hold UIDs for dynamically allocated system accounts,
- thus UIDs from the range <SYS_UID_MIN, SYS_UID_MAX> -->
- <local_variable id="variable_dynalloc_range_quad_expr" datatype="int"
- comment="Construct (x - SYS_UID_MIN) * (x - SYS_UID_MAX) expression"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_reserved_uid_range" check="all"
+ check_existence="any_exist" comment="&lt;0, SYS_UID_MIN&gt; system UIDs having shell set"
version="1">
- <!-- Construct the final multiplication -->
- <arithmetic arithmetic_operation="multiply">
- <!-- Construct (x - SYS_UID_MIN) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MIN -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_min_value" />
- </arithmetic>
- </arithmetic>
- <!-- Construct (x - SYS_UID_MAX) expression -->
- <arithmetic arithmetic_operation="add">
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
- <!-- Get negative value of SYS_UID_MAX -->
- <arithmetic arithmetic_operation="multiply">
- <literal_component datatype="int">-1</literal_component>
- <variable_component var_ref="variable_sys_uid_max_value" />
- </arithmetic>
- </arithmetic>
- </arithmetic>
- </local_variable>
-
- <!-- Foreach previously collected UID store the expression into
- corresponding OVAL object -->
- <ind:variable_object id="object_shell_defined_dynalloc_uid_range" version="1">
- <ind:var_ref>variable_dynalloc_range_quad_expr</ind:var_ref>
- </ind:variable_object>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_zero" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_min" />
+ </ind:textfilecontent54_test>
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
- <ind:variable_state id="state_shell_defined_dynalloc_uid_range" version="1">
- <ind:value datatype="int" operation="greater than">0</ind:value>
- </ind:variable_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_min_value" />
+ </ind:textfilecontent54_state>
<!-- Perform the dynamically allocated UID range <SYS_UID_MIN, SYS_UID_MAX> test itself -->
<!-- Thus check that all /etc/passwd entries having shell defined
have UID outside of <SYS_UID_MIN, SYS_UID_MAX> range -->
- <ind:variable_test id="test_shell_defined_dynalloc_uid_range" check="all"
- check_existence="all_exist" comment="&lt;SYS_UID_MIN, SYS_UID_MAX&gt; system UIDS having shell set"
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_dynalloc_uid_range" check="all"
+ check_existence="any_exist" comment="&lt;SYS_UID_MIN, SYS_UID_MAX&gt; system UIDS having shell set"
version="1">
- <ind:object object_ref="object_shell_defined_dynalloc_uid_range" />
- <ind:state state_ref="state_shell_defined_dynalloc_uid_range" />
- </ind:variable_test>
+ <ind:object object_ref="object_etc_passwd_entries" />
+ <ind:state state_ref="state_uid_less_than_sys_uid_min" />
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_max" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_state id="state_uid_less_than_sys_uid_min" version="1">
+ <ind:subexpression datatype="int" operation="less than" var_ref="variable_sys_uid_min_value" />
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_max" version="1">
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_max_value" />
+ </ind:textfilecontent54_state>
</def-group>
From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 4 Jun 2020 14:04:37 +0200
Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs
---
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +-
.../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +--
.../tests/only_system_users.pass.sh | 3 +--
.../tests/system_user_with_shell.fail.sh | 3 +--
4 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
index 6d48ad78fd..833831f79d 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
@@ -1,4 +1,4 @@
+#!/bin/bash
# remediation = none
-#!/bin/bash
true
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
index bc4f9cee8c..6769895eb2 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# Force unset of SYS_UID values
sed -i '/^SYS_UID_MIN/d' /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
index 0cdb820bbb..06edf671ce 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# remove any non-system user
sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
index 7639a8809d..10312593b8 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
@@ -1,6 +1,5 @@
-# remediation = none
-
#!/bin/bash
+# remediation = none
# change system user "mail" shell to bash
usermod --shell /bin/bash mail

View File

@ -1,163 +0,0 @@
From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Jun 2020 09:53:38 +0200
Subject: [PATCH 1/3] fixed description, oval, ansible, bash
---
.../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
.../configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
.../configure_openssl_crypto_policy/oval/shared.xml | 2 +-
.../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++-----
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index e6318f221c..98fe134aca 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -15,7 +15,7 @@
lineinfile:
create: yes
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
- line: ".include /etc/crypto-policies/back-ends/openssl.config"
+ line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
path: /etc/pki/tls/openssl.cnf
when:
- test_crypto_policy_group.stdout is defined
@@ -24,7 +24,7 @@
- name: "Add crypto_policy group and set include openssl.config"
lineinfile:
create: yes
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config"
+ line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
path: /etc/pki/tls/openssl.cnf
when:
- test_crypto_policy_group.stdout is defined
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
index 0b3cbf3b46..a0b30cce96 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
@@ -2,8 +2,8 @@
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config'
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$'
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
function remediate_openssl_crypto_policy() {
CONFIG_FILE="/etc/pki/tls/openssl.cnf"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
index a9b3f7b6e9..2019769736 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
@@ -20,7 +20,7 @@
<ind:textfilecontent54_object id="object_configure_openssl_crypto_policy"
version="1">
<ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>
- <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
index 8c015bb3b2..1a66570a8c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
@@ -11,7 +11,7 @@ description: |-
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under <tt>/etc/pki/tls/openssl.cnf</tt>.
This file has the <tt>ini</tt> format, and it enables crypto policy support
- if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/openssl.config</tt> directive.
+ if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/opensslcnf.config</tt> directive.
rationale: |-
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
@@ -29,11 +29,11 @@ references:
ocil_clause: |-
the OpenSSL config file doesn't contain the whole section,
- or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive
+ or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive
ocil: |-
- To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file
+ To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
<pre>/etc/pki/tls/openssl.cnf</pre> contains the <pre>[ crypto_policy ]</pre> section with the
- <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive:
- <pre>grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf</pre>.
+ <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive:
+ <pre>grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf</pre>.
From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Jun 2020 09:54:09 +0200
Subject: [PATCH 2/3] updated tests
---
.../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +-
.../tests/wrong.fail.sh | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
index 5b8334735e..c56916883e 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
@@ -6,5 +6,5 @@
create_config_file_with "[ crypto_policy ]
-.include /etc/crypto-policies/back-ends/openssl.config
+.include /etc/crypto-policies/back-ends/opensslcnf.config
"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
new file mode 100644
index 0000000000..5b8334735e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
+
+. common.sh
+
+create_config_file_with "[ crypto_policy ]
+
+.include /etc/crypto-policies/back-ends/openssl.config
+"
From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Jun 2020 17:32:00 +0200
Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config
file.
---
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index 98fe134aca..986543c10f 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -11,7 +11,7 @@
changed_when: False
check_mode: no
-- name: "Add .include for openssl.config to crypto_policy section"
+- name: "Add .include for opensslcnf.config to crypto_policy section"
lineinfile:
create: yes
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
@@ -21,7 +21,7 @@
- test_crypto_policy_group.stdout is defined
- test_crypto_policy_group.stdout | length > 0
-- name: "Add crypto_policy group and set include openssl.config"
+- name: "Add crypto_policy group and set include opensslcnf.config"
lineinfile:
create: yes
line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"

View File

@ -1,383 +0,0 @@
From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 19 May 2020 15:49:34 +0200
Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.
Introduce the rekey_limit_size and rekey_limit_time XCCDF values
to make the rule more flexible.
---
.../sshd_rekey_limit/bash/shared.sh | 9 ++++
.../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +-----
.../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++
.../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++
.../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++
.../sshd_rekey_limit/tests/ok.pass.sh | 4 ++
.../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++
.../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++
rhel8/profiles/ospp.profile | 2 +
10 files changed, 99 insertions(+), 10 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
new file mode 100644
index 0000000000..2620c2d49e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_rekey_limit_size
+populate var_rekey_limit_time
+
+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
new file mode 100644
index 0000000000..57aa090948
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -0,0 +1,43 @@
+{{% set filepath = "/etc/ssh/sshd_config" %}}
+{{% set parameter = "RekeyLimit" %}}
+
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ <metadata>
+ <title>{{{ rule_title }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
+ </metadata>
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ {{{- application_not_required_or_requirement_unset() }}}
+ {{{- application_required_or_requirement_unset() }}}
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
+ <ind:object object_ref="obj_sshd_rekey_limit"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
+ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+ <variable_component var_ref="var_rekey_limit_size"/>
+ <literal_component>[\s]+</literal_component>
+ <variable_component var_ref="var_rekey_limit_time"/>
+ <literal_component>[\s]*$</literal_component>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
+</def-group>
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index e11678faa0..4936a381f5 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -7,7 +7,7 @@ description: |-
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
- <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+ <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
@@ -30,12 +30,4 @@ ocil: |-
following command:
<pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
If configured properly, output should be
- <pre>RekeyLimit 512M 1h</pre>
-
-template:
- name: sshd_lineinfile
- vars:
- missing_parameter_pass: 'false'
- parameter: RekeyLimit
- rule_id: sshd_rekey_limit
- value: 512M 1h
+ <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
new file mode 100644
index 0000000000..2ac0bbf350
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
new file mode 100644
index 0000000000..fec859fe05
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
new file mode 100644
index 0000000000..a6cd10163f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
new file mode 100644
index 0000000000..a6a2ba7adf
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
new file mode 100644
index 0000000000..16dc376508
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ sshd_default: "default"
+ default: "512M"
+ "512M": "512M"
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
new file mode 100644
index 0000000000..8801fbbf6f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ sshd_default: "none"
+ default: "1h"
+ "1hour": "1h"
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index c672066050..a5223a187f 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -58,6 +58,8 @@ selections:
- sshd_set_keepalive
- sshd_enable_warning_banner
- sshd_rekey_limit
+ - var_rekey_limit_size=512M
+ - var_rekey_limit_time=1hour
- sshd_use_strong_rng
- openssl_use_strong_entropy
From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 19 May 2020 17:57:12 +0200
Subject: [PATCH 2/5] Updated stable profile definitions.
---
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
tests/data/profile_stability/rhel8/stig.profile | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 23039c82b4..bdda39a903 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -214,6 +214,8 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
+- var_rekey_limit_size=512M
+- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4
- var_password_pam_maxrepeat=3
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index cd31b73700..ebef541921 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
- Red Hat Containers with a Red Hat Enterprise Linux 8 image'
documentation_complete: true
-extends: ospp
selections:
- account_disable_post_pw_expiration
- account_temp_expire_date
@@ -243,6 +242,8 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
+- var_rekey_limit_size=512M
+- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4
- var_password_pam_maxrepeat=3
From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:43:36 +0200
Subject: [PATCH 3/5] Improved how variables are handled in remediations.
---
shared/macros-ansible.jinja | 14 ++++++++++++++
shared/macros-bash.jinja | 15 +++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 56a3f5f3ec..6798a25d1f 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -1,3 +1,17 @@
+{{#
+Pass strings that correspond to XCCDF value names as arguments to this macro:
+ansible_instantiate_variables("varname1", "varname2")
+
+Then, assume that the task that follows can work with the variable by referencing it, e.g.
+value: "Setting={{ varname1 }}"
+
+#}}
+{{%- macro ansible_instantiate_variables() -%}}
+{{%- for name in varargs -%}}
+- (xccdf-var {{{ name }}})
+{{% endfor -%}}
+{{%- endmacro -%}}
+
{{#
A wrapper over the Ansible lineinfile module. This handles the most common
options for us. regex is optional and when blank, it won't be included in
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 01b9e62e7b..3a94fe5dd8 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -1,5 +1,20 @@
{{# ##### High level macros ##### #}}
+{{#
+Pass strings that correspond to XCCDF value names as arguments to this macro:
+bash_instantiate_variables("varname1", "varname2")
+
+Then, assume that variables of that names are defined and contain the correct value, e.g.
+echo "Setting=$varname1" >> config_file
+
+#}}
+{{%- macro bash_instantiate_variables() -%}}
+{{%- for name in varargs -%}}
+populate {{{ name }}}
+{{# this line is intentionally left blank #}}
+{{% endfor -%}}
+{{%- endmacro -%}}
+
{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
{{% if no_quotes -%}}
{{% if "$" in value %}}
From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:44:08 +0200
Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.
---
.../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++
.../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +--
2 files changed, 9 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
new file mode 100644
index 0000000000..43a2d4521f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all [0/453]
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
+
+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
index 2620c2d49e..0277f31392 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -3,7 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_rekey_limit_size
-populate var_rekey_limit_time
+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:49:04 +0200
Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.
---
.../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index 57aa090948..47796e5332 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,5 +1,4 @@
-{{% set filepath = "/etc/ssh/sshd_config" %}}
-{{% set parameter = "RekeyLimit" %}}
+{{% set filepath = "/etc/ssh/sshd_config" -%}}
<def-group>
@@ -7,7 +6,7 @@
<metadata>
<title>{{{ rule_title }}}</title>
{{{- oval_affected(products) }}}
- <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
</metadata>
<criteria comment="sshd is configured correctly or is not installed" operator="OR">
{{{- application_not_required_or_requirement_unset() }}}

View File

@ -1,102 +0,0 @@
From 279b1d8b585d3521d4910ec8aa69583f9b7031ac Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 25 May 2020 10:51:24 +0200
Subject: [PATCH 1/3] change rekey limit to 1G 1h in rhel8 ospp
---
.../guide/services/ssh/ssh_server/var_rekey_limit_size.var | 1 +
rhel8/profiles/ospp.profile | 2 +-
rhel8/profiles/stig.profile | 3 +++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
index 16dc376508..395a087a68 100644
--- a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
@@ -12,3 +12,4 @@ options:
sshd_default: "default"
default: "512M"
"512M": "512M"
+ "1G": "1G"
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index a5223a187f..0dca8350f9 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -58,7 +58,7 @@ selections:
- sshd_set_keepalive
- sshd_enable_warning_banner
- sshd_rekey_limit
- - var_rekey_limit_size=512M
+ - var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
- sshd_use_strong_rng
- openssl_use_strong_entropy
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 2bb81cf9dc..a156857647 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -44,3 +44,6 @@ selections:
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
+ - sshd_rekey_limit
+ - var_rekey_limit_size=512M
+ - var_rekey_limit_time=1hour
From d8ce7bb5f47665e40b6ec2c47e565bb7c46164a9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 25 May 2020 10:51:54 +0200
Subject: [PATCH 2/3] update stable ospp profile
---
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index bdda39a903..25f7922bf3 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -214,7 +214,7 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
-- var_rekey_limit_size=512M
+- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4
From 6623ece14b6534164a3b953fd43111cae4a3eeea Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 28 May 2020 09:30:58 +0200
Subject: [PATCH 3/3] propagate change also into stig profile
---
rhel8/profiles/stig.profile | 3 ---
tests/data/profile_stability/rhel8/stig.profile | 2 +-
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index a156857647..2bb81cf9dc 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -44,6 +44,3 @@ selections:
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
- - sshd_rekey_limit
- - var_rekey_limit_size=512M
- - var_rekey_limit_time=1hour
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index ebef541921..6c4270925f 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -242,7 +242,7 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
-- var_rekey_limit_size=512M
+- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4

View File

@ -1,798 +0,0 @@
From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:34:50 +0200
Subject: [PATCH 01/11] add rule, variables, check, remediations
---
.../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++
.../ssh_client_rekey_limit/bash/shared.sh | 8 ++++
.../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++
.../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++
.../var_ssh_client_rekey_limit_size.var | 15 +++++++
.../var_ssh_client_rekey_limit_time.var | 14 +++++++
shared/references/cce-redhat-avail.txt | 1 -
7 files changed, 118 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
new file mode 100644
index 0000000000..6d2bcbbd44
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all [0/453]
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+
+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
new file mode 100644
index 0000000000..43d0971ffc
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+
+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
new file mode 100644
index 0000000000..2412763e3f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
@@ -0,0 +1,39 @@
+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
+
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ <metadata>
+ <title>{{{ rule_title }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
+ </metadata>
+ <criteria comment="RekeyLimit is correctly configured for ssh client">
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+ <variable_component var_ref="var_ssh_client_rekey_limit_size"/>
+ <literal_component>[\s]+</literal_component>
+ <variable_component var_ref="var_ssh_client_rekey_limit_time"/>
+ <literal_component>[\s]*$</literal_component>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
+</def-group>
+
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
new file mode 100644
index 0000000000..a1b85b0ee5
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure session renegotiation for SSH client'
+
+description: |-
+ The <tt>RekeyLimit</tt> parameter specifies how often
+ the session key is renegotiated, both in terms of
+ amount of data that may be transmitted and the time
+ elapsed. To decrease the default limits, put line
+ <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+
+rationale: |-
+ By decreasing the limit based on the amount of data and enabling
+ time-based limit, effects of potential attacks against
+ encryption keys are limited.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82880-6
+
+references:
+ ospp: FCS_SSHS_EXT.1
+
+ocil_clause: 'it is commented out or is not set'
+
+ocil: |-
+ To check if RekeyLimit is set correctly, run the
+ following command:
+ <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
+ If configured properly, output should be
+ <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
new file mode 100644
index 0000000000..bcf051fd97
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'SSH client RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ ssh_client_default: "default"
+ default: "512M"
+ "512M": "512M"
+ "1G": "1G"
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
new file mode 100644
index 0000000000..31c76f9ab5
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH client RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ ssh_client_default: "none"
+ default: "1h"
+ "1hour": "1h"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 45d03a2c1d..e060d2fb1c 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-82880-6
CCE-82882-2
CCE-82883-0
CCE-82888-9
From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:35:24 +0200
Subject: [PATCH 02/11] add tests
---
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++
4 files changed, 15 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
new file mode 100644
index 0000000000..2ac0bbf350
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
new file mode 100644
index 0000000000..fec859fe05
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
new file mode 100644
index 0000000000..a6cd10163f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
new file mode 100644
index 0000000000..a6a2ba7adf
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:35:43 +0200
Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles
---
rhel8/profiles/ospp.profile | 5 +++++
tests/data/profile_stability/rhel8/ospp.profile | 3 +++
tests/data/profile_stability/rhel8/stig.profile | 3 +++
3 files changed, 11 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 0dca8350f9..07d32b814d 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -410,3 +410,8 @@ selections:
# Prevent Kerberos use by system daemons
- kerberos_disable_no_keytab
+
+ # set ssh client rekey limit
+ - ssh_client_rekey_limit
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 25f7922bf3..b0d7672c36 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -240,4 +240,7 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
+- ssh_client_rekey_limit
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
title: Protection Profile for General Purpose Operating Systems
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 6c4270925f..330ecc7e1e 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -269,4 +269,7 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
+- ssh_client_rekey_limit
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 28 May 2020 14:25:41 +0200
Subject: [PATCH 04/11] improve description of variables
---
.../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++--
.../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++---
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
index bcf051fd97..4e20104cba 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -2,14 +2,20 @@ documentation_complete: true
title: 'SSH client RekeyLimit - size'
-description: 'Specify the size component of the rekey limit.'
+description: |-
+ Specify the size component of the rekey limit. This limit signifies amount
+ of data. After this amount of data is transferred through the connection,
+ the session key is renegotiated. The number is followed by K, M or G for
+ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
+ configured according to ellabsed time.
+
+interactive: true
type: string
operator: equals
options:
- ssh_client_default: "default"
default: "512M"
"512M": "512M"
"1G": "1G"
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
index 31c76f9ab5..6143a5448c 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -1,14 +1,20 @@
documentation_complete: true
-title: 'SSH client RekeyLimit - size'
+title: 'SSH client RekeyLimit - time'
-description: 'Specify the size component of the rekey limit.'
+description: |-
+ Specify the time component of the rekey limit. This limit signifies amount
+ of data. The session key is renegotiated after the defined amount of time
+ passes. The number is followed by units such as H or M for hours or minutes.
+ Note that the RekeyLimit can be also configured according to amount of
+ transfered data.
+
+interactive: true
type: string
operator: equals
options:
- ssh_client_default: "none"
default: "1h"
"1hour": "1h"
From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 28 May 2020 14:26:12 +0200
Subject: [PATCH 05/11] fix tests and ansible
---
.../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +-
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++--
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++--
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +-
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--
5 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
index 6d2bcbbd44..bb6544a0a0 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_all [0/453]
+# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
index 2ac0bbf350..22c465b08f 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -1,4 +1,4 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
+
+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
index fec859fe05..0dc621b1da 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -1,4 +1,4 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
+
+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
index a6cd10163f..f6abf711da 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -1,3 +1,3 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index a6a2ba7adf..e64e4191bc 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -1,4 +1,5 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
+
+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 1 Jun 2020 14:29:47 +0200
Subject: [PATCH 06/11] fix test to use default value, remove rule from stig
---
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +-
rhel8/profiles/stig.profile | 1 +
tests/data/profile_stability/rhel8/stig.profile | 1 -
3 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index e64e4191bc..89d7069687 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -2,4 +2,4 @@
rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 2bb81cf9dc..8f12852e26 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -44,3 +44,4 @@ selections:
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
+ - "!ssh_client_rekey_limit"
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 330ecc7e1e..9b164eb5c2 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -269,7 +269,6 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
-- ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Jun 2020 12:38:19 +0200
Subject: [PATCH 07/11] rewrite oval to check for multiple locations
---
.../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++-------
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
index 2412763e3f..41fa0497ae 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
@@ -1,28 +1,17 @@
-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
-
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
<metadata>
<title>{{{ rule_title }}}</title>
{{{- oval_affected(products) }}}
- <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
+ <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
</metadata>
- <criteria comment="RekeyLimit is correctly configured for ssh client">
- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
+ <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
+ <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
- <ind:object object_ref="obj_ssh_client_rekey_limit"/>
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
- <ind:filepath>{{{ filepath }}}</ind:filepath>
- <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
<local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
<concat>
<literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
@@ -35,5 +24,26 @@
<external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
<external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
-</def-group>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
+ <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
+ <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:24:54 +0200
Subject: [PATCH 08/11] reqrite remediations
---
.../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++
.../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++
2 files changed, 29 insertions(+)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
index bb6544a0a0..36de503806 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -5,4 +5,20 @@
# disruption = low
{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}
+
+- name: Collect all include config files for ssh client which configure RekeyLimit
+ find:
+ paths: "/etc/ssh/ssh_config.d/"
+ contains: '^[\s]*RekeyLimit.*$'
+ patterns: "*.config"
+ register: ssh_config_include_files
+
+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client
+ lineinfile:
+ path: "{{ item }}"
+ regexp: '^[\s]*RekeyLimit.*$'
+ state: "absent"
+ loop: "{{ ssh_config_include_files.files }}"
+
{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
index 43d0971ffc..99f6f63c92 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
@@ -5,4 +5,17 @@
{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+main_config="/etc/ssh/ssh_config"
+include_directory="/etc/ssh/ssh_config.d"
+
+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
+ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
+fi
+
+for file in "$include_directory"/*.conf; do
+ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
+ sed -i '/^[\s]*RekeyLimit.*/d' "$file"
+ fi
+done
+
{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:25:14 +0200
Subject: [PATCH 09/11] add more tests
---
.../tests/bad_main_config_good_include_config.fail.sh | 4 ++++
.../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++
.../tests/ok_different_config_file.pass.sh | 3 +++
3 files changed, 11 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
new file mode 100644
index 0000000000..90314712af
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/basdh
+
+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
new file mode 100644
index 0000000000..9ba20b0290
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -rf /etc/ssh/ssh_config.d/*
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
new file mode 100644
index 0000000000..f725f6936f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf
From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:25:29 +0200
Subject: [PATCH 10/11] extend description and ocil
---
.../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index a1b85b0ee5..76f5f84090 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -10,6 +10,12 @@ description: |-
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
<tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+ Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
+ the <tt>include</tt> directive in the main config file
+ <tt>/etc/ssh/ssh_config</tt>. Check also other files in
+ <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
+ their names. Make sure that there is no file processed before
+ <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
@@ -27,8 +33,11 @@ references:
ocil_clause: 'it is commented out or is not set'
ocil: |-
- To check if RekeyLimit is set correctly, run the
- following command:
- <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
- If configured properly, output should be
- <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
+ To check if RekeyLimit is set correctly, run the following command: <pre>$
+ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> If configured
+ properly, output should be <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
+ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
+ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
+ main configuration file with the following command: <pre>sudo grep
+ RekeyLimit /etc/ssh/ssh_config</pre> The command should not return any
+ output.
From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Jun 2020 11:44:44 +0200
Subject: [PATCH 11/11] fix typos and wording
---
.../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++--
.../tests/bad_main_config_good_include_config.fail.sh | 2 +-
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 +
.../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-
.../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----
8 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index 76f5f84090..b054d9d221 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -14,8 +14,9 @@ description: |-
the <tt>include</tt> directive in the main config file
<tt>/etc/ssh/ssh_config</tt>. Check also other files in
<tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
- their names. Make sure that there is no file processed before
- <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
+ lexicographical order of file names. Make sure that there is no file
+ processed before <tt>02-rekey-limit.conf</tt> containing definition of
+ <tt>RekeyLimit</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
index 90314712af..58befb0107 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
@@ -1,4 +1,4 @@
-#!/bin/basdh
+#!/bin/bash
echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
index 22c465b08f..1803c26629 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
index 0dc621b1da..2c9e839255 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
index f6abf711da..7de108eafd 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index 89d7069687..4c047ed179 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
index 4e20104cba..c8dd8ef10e 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -7,7 +7,7 @@ description: |-
of data. After this amount of data is transferred through the connection,
the session key is renegotiated. The number is followed by K, M or G for
kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
- configured according to ellabsed time.
+ configured according to elapsed time.
interactive: true
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
index 6143a5448c..6223e8e38f 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -3,11 +3,10 @@ documentation_complete: true
title: 'SSH client RekeyLimit - time'
description: |-
- Specify the time component of the rekey limit. This limit signifies amount
- of data. The session key is renegotiated after the defined amount of time
- passes. The number is followed by units such as H or M for hours or minutes.
- Note that the RekeyLimit can be also configured according to amount of
- transfered data.
+ Specify the time component of the rekey limit. The session key is
+ renegotiated after the defined amount of time passes. The number is followed
+ by units such as H or M for hours or minutes. Note that the RekeyLimit can
+ be also configured according to amount of transfered data.
interactive: true

View File

@ -1,65 +0,0 @@
From 713bc3b17929d0c73b7898f42fe7935806a3bfff Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Tue, 16 Jun 2020 16:04:10 -0600
Subject: [PATCH] Remove grub documentation links from RHEL7 rationale
---
.../system/bootloader-grub2/grub2_admin_username/rule.yml | 7 -------
.../guide/system/bootloader-grub2/grub2_password/rule.yml | 7 -------
.../system/bootloader-grub2/grub2_uefi_password/rule.yml | 7 -------
3 files changed, 21 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
index 2042a17806..63a6a7a83c 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
@@ -24,13 +24,6 @@ description: |-
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
- {{% if product == "rhel7" %}}
- For more information on how to configure the grub2 superuser account and password,
- please refer to
- <ul>
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
- </ul>
- {{% endif %}}
severity: low
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
index 00cec58c77..985b8727d7 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
@@ -23,13 +23,6 @@ rationale: |-
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
- {{% if product == "rhel7" %}}
- For more information on how to configure the grub2 superuser account and password,
- please refer to
- <ul>
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
- </ul>
- {{% endif %}}
severity: high
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
index 954d6f21d0..3ce5a2df13 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -23,13 +23,6 @@ rationale: |-
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
- {{% if product == "rhel7" %}}
- For more information on how to configure the grub2 superuser account and password,
- please refer to
- <ul>
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
- </ul>
- {{% endif %}}
severity: medium

View File

@ -1,88 +0,0 @@
From d455dc468ef51dd595ce6184f1d31ebf4c20ab9c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 22 Jul 2020 09:52:50 +0200
Subject: [PATCH] Add grub2 platform to grub2 kernel option rules
This will make sure these rules are applicable only when grub2
(grub2-pc) is installed.
---
linux_os/guide/system/auditing/grub2_audit_argument/rule.yml | 2 ++
.../system/auditing/grub2_audit_backlog_limit_argument/rule.yml | 2 +-
.../system/permissions/mounting/grub2_nousb_argument/rule.yml | 2 ++
.../guide/system/permissions/restrictions/poisoning/group.yml | 2 ++
.../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +-
.../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +-
7 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index 00cb7f9b6c..5f3a47a776 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -102,6 +102,8 @@ warnings:
{{% endif %}}
</ul>
+platform: grub2
+
template:
name: grub2_bootloader_argument
vars:
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
index 6cab6f7bfe..aa95957b58 100644
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
@@ -60,7 +60,7 @@ warnings:
{{% endif %}}
</ul>
-platform: machine
+platform: grub2
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
index a3c1f48231..407ba2c069 100644
--- a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
@@ -37,3 +37,5 @@ warnings:
Disabling all kernel support for USB will cause problems for systems
with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.
+
+platform: grub2
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
index 6a7a370f2b..030a3e9918 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
@@ -6,3 +6,5 @@ description: |-
Memory Poisoning consists of writing a special value to uninitialized or freed memory.
Poisoning can be used as a mechanism to prevent leak of information and detection of
corrupted memory.
+
+platform: machine
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
index e3047ef223..2d97ec75ea 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
@@ -60,7 +60,7 @@ warnings:
{{% endif %}}
</ul>
-platform: machine
+platform: grub2
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
index 024c93f18b..39ca33b77a 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
@@ -60,7 +60,7 @@ warnings:
{{% endif %}}
</ul>
-platform: machine
+platform: grub2
template:
name: grub2_bootloader_argument

View File

@ -1,954 +0,0 @@
From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Jul 2020 16:12:35 +0200
Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template
Create initial version of zIPL specific BLS entries
template by copying bls_entries_option template.
---
.../template_OVAL_zipl_bls_entries_option | 32 +++++++++++++++++++
ssg/templates.py | 5 +++
2 files changed, 37 insertions(+)
create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
new file mode 100644
index 0000000000..a19bd5a89c
--- /dev/null
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -0,0 +1,32 @@
+<def-group>
+ <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
+ <metadata>
+ <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test id="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" />
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ version="1">
+ <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
+ version="1">
+ <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/ssg/templates.py b/ssg/templates.py
index 2795267abd..fc09416abe 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -340,6 +340,22 @@ def bls_entries_option(data, lang):
return data
+@template(["oval"])
+def bls_entries_option(data, lang):
+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
+ if lang == "oval":
+ # escape dot, this is used in oval regex
+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
+ # replace . with _, this is used in test / object / state ids
+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
+ return data
+
+
+@template(["oval"])
+def zipl_bls_entries_option(data, lang):
+ return bls_entries_option(data, lang)
+
+
class Builder(object):
"""
Class for building all templated content for a given product.
From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:11:04 +0200
Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install
Extend zipl_bls_entries_option template to check that the kernel option
is also configure in /etc/kernel/cmdline.
The presence of the argument in /etc/kernel/cmdline ensures that newly
installed kernels will be configure if the option.
---
.../template_OVAL_zipl_bls_entries_option | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
index a19bd5a89c..9af1bcfbee 100644
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -6,8 +6,10 @@
<description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
</metadata>
<criteria operator="AND">
- <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ <criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
</criteria>
</definition>
@@ -25,6 +27,19 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_test id="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ comment="Check for option {{{ ARG_NAME_VALUE }}} in /etc/kernel/cmdline"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option" />
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ version="1">
+ <ind:filepath>/etc/kernel/cmdline</ind:filepath>
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
<ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:12:32 +0200
Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash
---
.../template_ANSIBLE_zipl_bls_entries_option | 48 +++++++++++++++++++
.../template_BASH_zipl_bls_entries_option | 12 +++++
ssg/templates.py | 2 +-
3 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option
create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
new file mode 100644
index 0000000000..c0cb131b82
--- /dev/null
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
@@ -0,0 +1,48 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = true
+# strategy = configure
+# complexity = medium
+# disruption = low
+
+- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
+ block:
+ - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
+ find:
+ paths: "/boot/loader/entries/"
+ contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
+ patterns: "*.conf"
+ register: entries_options
+
+ - name: "Update boot entries options"
+ command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ when: entries_options is defined and entries_options.examined != entries_options.matched
+ # The conditional above assumes that only *.conf files are present in /boot/loader/entries
+ # Then, the number of conf files is the same as examined files
+
+ - name: "Check if /etc/kernel/cmdline exists"
+ stat:
+ path: /etc/kernel/cmdline
+ register: cmdline_stat
+
+ - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ find:
+ paths: "/etc/kernel/"
+ patterns: "cmdline"
+ contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"
+ register: cmdline_find
+
+ - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ lineinfile:
+ create: yes
+ path: "/etc/kernel/cmdline"
+ line: '{{{ ARG_NAME_VALUE }}}'
+ when: cmdline_stat is defined and not cmdline_stat.stat.exists
+
+ - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ lineinfile:
+ path: "/etc/kernel/cmdline"
+ backrefs: yes
+ regexp: "^(.*)$"
+ line: '\1 {{{ ARG_NAME_VALUE }}}'
+ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0
+
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
new file mode 100644
index 0000000000..9fc8865486
--- /dev/null
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8
+
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+
+# Ensure new kernels and boot entries retain the boot option
+if [ ! -f /etc/kernel/cmdline ]; then
+ echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
+elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
+ echo " audit=1" >> /etc/kernel/cmdline
+ sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
+fi
diff --git a/ssg/templates.py b/ssg/templates.py
index fc09416abe..a27fbb6cb6 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -340,7 +340,7 @@ def bls_entries_option(data, lang):
return data
-@template(["oval"])
+@template(["ansible", "bash", "oval"])
def zipl_bls_entries_option(data, lang):
return bls_entries_option(data, lang)
From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 3 Jul 2020 15:50:56 +0200
Subject: [PATCH 04/18] Enable zIPL in argument rules
---
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 6 ++++++
.../zipl_audit_backlog_limit_argument/rule.yml | 6 ++++++
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 6 ++++++
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 6 ++++++
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 6 ++++++
6 files changed, 36 insertions(+)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 624b4e7041..894bf7995f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable audit.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: audit
+ arg_value: '1'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index faf114591a..12334c9905 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: audit_backlog_limit
+ arg_value: '8192'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 866664c01b..f5a36ee1b3 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: page_poison
+ arg_value: '1'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 2f02d9668c..168dae46a1 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -27,3 +27,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: pti
+ arg_value: 'on'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 0cb10d3cd8..84a374e36f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that does not enable poisoning.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: slub_debug
+ arg_value: 'P'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index f79adeb083..c37e8bbefd 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -25,3 +25,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: vsyscall
+ arg_value: 'none'
From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sat, 4 Jul 2020 01:15:49 +0200
Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo
Fix typo
---
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 12334c9905..15729dc6b6 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured'
ocil: |-
To check that all boot entries extend the backlog limit;
Check that all boot entries extend the log events queue:
- <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
platform: machine
From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 12:00:10 +0200
Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description
Description about how to ensure that new boot entries continue compliant
was incorrect due to copy-pasta mistake.
---
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 84a374e36f..83e043179d 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,7 +8,7 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 12:06:56 +0200
Subject: [PATCH 07/18] Add CCEs to zIPL argument rules
---
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 3 +++
.../zipl_audit_backlog_limit_argument/rule.yml | 3 +++
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 3 +++
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 3 +++
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++
7 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 894bf7995f..b1307ef3f2 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83321-0
+
ocil_clause: 'auditing is not enabled at boot time'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 15729dc6b6..18391bee6c 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -19,6 +19,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83341-8
+
ocil_clause: 'audit backlog limit is not configured'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index f5a36ee1b3..7ffea8ce6a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83351-7
+
ocil_clause: 'page allocator poisoning is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 168dae46a1..6fd1082292 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -19,6 +19,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83361-6
+
ocil_clause: 'Kernel page-table isolation is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 83e043179d..c499140c35 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83371-5
+
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index c37e8bbefd..7edd43074f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -17,6 +17,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83381-4
+
ocil_clause: 'vsyscalls are enabled'
ocil: |-
From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:36:28 +0200
Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile
These rules check and ensure configuration of BLS boot options used by
zIPL.
---
rhel8/profiles/ospp.profile | 8 ++++++++
rhel8/profiles/stig.profile | 6 ++++++
2 files changed, 14 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 80e4b71fff..d3732fa805 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -419,3 +419,11 @@ selections:
# zIPl specific rules
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
+ - zipl_audit_argument
+ - zipl_audit_backlog_limit_argument
+ - zipl_slub_debug_argument
+ - zipl_page_poison_argument
+ - zipl_vsyscall_argument
+ - zipl_vsyscall_argument.role=unscored
+ - zipl_vsyscall_argument.severity=info
+ - zipl_pti_argument
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index cfc2160be1..69d5222a32 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -49,3 +49,9 @@ selections:
# Unselect zIPL rules from OSPP
- "!zipl_bls_entries_only"
- "!zipl_bootmap_is_up_to_date"
+ - "!zipl_audit_argument"
+ - "!zipl_audit_backlog_limit_argument"
+ - "!zipl_page_poison_argument"
+ - "!zipl_pti_argument"
+ - "!zipl_slub_debug_argument"
+ - "!zipl_vsyscall_argument"
From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 22:30:25 +0200
Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements
Just like rule selection, allows rule refinements to be unselected, or "undone".
---
build-scripts/compile_profiles.py | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py
index 0967252348..d1ce8984b2 100644
--- a/build-scripts/compile_profiles.py
+++ b/build-scripts/compile_profiles.py
@@ -3,6 +3,7 @@
import argparse
import sys
import os.path
+from copy import deepcopy
from glob import glob
import ssg.build_yaml
@@ -36,7 +37,8 @@ def resolve(self, all_profiles):
updated_variables.update(self.variables)
self.variables = updated_variables
- updated_refinements = dict(extended_profile.refine_rules)
+ extended_refinements = deepcopy(extended_profile.refine_rules)
+ updated_refinements = self._subtract_refinements(extended_refinements)
updated_refinements.update(self.refine_rules)
self.refine_rules = updated_refinements
@@ -50,6 +52,18 @@ def resolve(self, all_profiles):
self.resolved = True
+ def _subtract_refinements(self, extended_refinements):
+ """
+ Given a dict of rule refinements from the extended profile,
+ "undo" every refinement prefixed with '!' in this profile.
+ """
+ for rule, refinements in list(self.refine_rules.items()):
+ if rule.startswith("!"):
+ for prop, val in refinements:
+ extended_refinements[rule[1:]].remove((prop, val))
+ del self.refine_rules[rule]
+ return extended_refinements
+
def create_parser():
parser = argparse.ArgumentParser()
From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 22:32:32 +0200
Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules
Remove the zIPl rule refinementes from STIG profile
---
rhel8/profiles/stig.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 69d5222a32..53647475aa 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -55,3 +55,5 @@ selections:
- "!zipl_pti_argument"
- "!zipl_slub_debug_argument"
- "!zipl_vsyscall_argument"
+ - "!zipl_vsyscall_argument.role=unscored"
+ - "!zipl_vsyscall_argument.severity=info"
From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 09:38:57 +0200
Subject: [PATCH 11/18] Update stable test for OSPP Profile
I just copied the resolved profile to profile_stability directory.
---
tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 08dcccf24c..5aa3592496 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -168,6 +168,7 @@ selections:
- service_rngd_enabled
- service_systemd-coredump_disabled
- service_usbguard_enabled
+- ssh_client_rekey_limit
- sshd_disable_empty_passwords
- sshd_disable_gssapi_auth
- sshd_disable_kerb_auth
@@ -213,8 +214,14 @@ selections:
- sysctl_user_max_user_namespaces
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
+- zipl_audit_argument
+- zipl_audit_backlog_limit_argument
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
+- zipl_page_poison_argument
+- zipl_pti_argument
+- zipl_slub_debug_argument
+- zipl_vsyscall_argument
- var_sshd_set_keepalive=0
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
@@ -238,11 +245,12 @@ selections:
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
- grub2_vsyscall_argument.role=unscored
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
-- ssh_client_rekey_limit
-- var_ssh_client_rekey_limit_size=1G
-- var_ssh_client_rekey_limit_time=1hour
+- zipl_vsyscall_argument.role=unscored
+- zipl_vsyscall_argument.severity=info
title: Protection Profile for General Purpose Operating Systems
From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 15:15:25 +0200
Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios
---
.../tests/correct_option.pass.sh | 16 ++++++++++++++++
.../tests/missing_in_cmdline.fail.sh | 14 ++++++++++++++
.../tests/missing_in_entry.fail.sh | 14 ++++++++++++++
3 files changed, 44 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
new file mode 100644
index 0000000000..a9bd49dd0b
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure boot loader entries contain audit=1
+for file in /boot/loader/entries/*.conf
+do
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
+ sed -i '/^options / s/$/audit=1/' "$file"
+ fi
+done
+
+# Make sure /etc/kernel/cmdline contains audit=1
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "audit=1" >> /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
new file mode 100644
index 0000000000..d4d1d978c8
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure boot loader entries contain audit=1
+for file in /boot/loader/entries/*.conf
+do
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
+ sed -i '/^options / s/$/audit=1/' "$file"
+ fi
+done
+
+# Make sure /etc/kernel/cmdline doesn't contain audit=1
+sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
new file mode 100644
index 0000000000..3e412c0542
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Remove audit=1 from all boot entries
+sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
+# But make sure one boot loader entry contains audit=1
+sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+# Make sure /etc/kernel/cmdline contains audit=1
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "audit=1" >> /etc/kernel/cmdline
+fi
From 3b52ab44e043adb289ef0a96798cffaf3e1f35a1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 15:34:52 +0200
Subject: [PATCH 13/18] zipl_bls_entries_option: Remove hardcoded values
The template shouldn't have any hardcoded values.
---
shared/templates/template_BASH_zipl_bls_entries_option | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
index 9fc8865486..dde8c948f7 100644
--- a/shared/templates/template_BASH_zipl_bls_entries_option
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
@@ -7,6 +7,5 @@ grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
if [ ! -f /etc/kernel/cmdline ]; then
echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
- echo " audit=1" >> /etc/kernel/cmdline
- sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
+ sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline
fi
From 68bff71c7f60a7c68cf0bd9aa153f8a78ec02b7d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:08:26 +0200
Subject: [PATCH 14/18] Improve conditional check for the grubby command
Let's not trust that /boot/loader/entries/ only contains *.conf files.
Count the number of conf files and how many set the propper options.
---
.../template_ANSIBLE_zipl_bls_entries_option | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
index c0cb131b82..bccad2267c 100644
--- a/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
@@ -6,18 +6,22 @@
- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
block:
- - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
+ - name: "Check how many boot entries exist "
+ find:
+ paths: "/boot/loader/entries/"
+ patterns: "*.conf"
+ register: n_entries
+
+ - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}"
find:
paths: "/boot/loader/entries/"
contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
patterns: "*.conf"
- register: entries_options
+ register: n_entries_options
- name: "Update boot entries options"
command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
- when: entries_options is defined and entries_options.examined != entries_options.matched
- # The conditional above assumes that only *.conf files are present in /boot/loader/entries
- # Then, the number of conf files is the same as examined files
+ when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched
- name: "Check if /etc/kernel/cmdline exists"
stat:
From 79c60bb40288c17381bf1e4a84e6cfd300bd8446 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:17:27 +0200
Subject: [PATCH 15/18] zipl_bls_entries_option: Fix sed in test scenario
Append "audit=1" space from last option.
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index a9bd49dd0b..5fcbcc5667 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -6,7 +6,7 @@
for file in /boot/loader/entries/*.conf
do
if ! grep -q '^options.*audit=1.*$' "$file" ; then
- sed -i '/^options / s/$/audit=1/' "$file"
+ sed -i '/^options / s/$/ audit=1/' "$file"
fi
done
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
index d4d1d978c8..b75165f904 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -6,7 +6,7 @@
for file in /boot/loader/entries/*.conf
do
if ! grep -q '^options.*audit=1.*$' "$file" ; then
- sed -i '/^options / s/$/audit=1/' "$file"
+ sed -i '/^options / s/$/ audit=1/' "$file"
fi
done
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index 3e412c0542..e3d342d533 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -5,7 +5,7 @@
# Remove audit=1 from all boot entries
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
# But make sure one boot loader entry contains audit=1
-sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
+sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
# Make sure /etc/kernel/cmdline contains audit=1
From d513177d2cea39db364a0ff39a599ded36a25395 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:29:06 +0200
Subject: [PATCH 16/18] Extend scenarios platform and allow remediation
These test scenarios can be run on any OS that supports BLS and provides
grubby.
But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.:
has s390utils-base installed).
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 3 +--
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 3 +--
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 3 +--
3 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index 5fcbcc5667..73ed0eae0f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Make sure boot loader entries contain audit=1
for file in /boot/loader/entries/*.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
index b75165f904..3af83d30d8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Make sure boot loader entries contain audit=1
for file in /boot/loader/entries/*.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index e3d342d533..142f75ba60 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Remove audit=1 from all boot entries
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
From 2e841722d30551c86f14558ff39bdaa5dda55711 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:35:55 +0200
Subject: [PATCH 17/18] Update comment in OVAL zipl_bls_entries_option
Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
shared/templates/template_OVAL_zipl_bls_entries_option | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
index 9af1bcfbee..502d5e7d9a 100644
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -7,7 +7,7 @@
</metadata>
<criteria operator="AND">
<criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
<criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
</criteria>
From 9bd0afbde47ef368444ba1785da593980e6e00aa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 17:15:46 +0200
Subject: [PATCH 18/18] zipl_bls_entries_option: Supress grep error messages
/etc/kernel/cmdline is not always present. Lest suppress any error
message about absent file in the test scenarios.
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index 73ed0eae0f..7a828837fe 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -10,6 +10,6 @@ do
done
# Make sure /etc/kernel/cmdline contains audit=1
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
echo "audit=1" >> /etc/kernel/cmdline
fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index 142f75ba60..5650cc0a74 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -8,6 +8,6 @@ sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
# Make sure /etc/kernel/cmdline contains audit=1
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
echo "audit=1" >> /etc/kernel/cmdline
fi

View File

@ -1,43 +0,0 @@
From 5a5b3bdead44bd24fb138bd7b9785d4e0809ff4b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Jul 2020 13:22:58 +0200
Subject: [PATCH 1/2] update wording for rhel7 profile
---
rhel7/profiles/hipaa.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile
index 4310561323..000441de52 100644
--- a/rhel7/profiles/hipaa.profile
+++ b/rhel7/profiles/hipaa.profile
@@ -12,6 +12,7 @@ description: |-
This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security
Rule identified for securing of electronic protected health information.
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
selections:
- grub2_password
From 0c5cc87c4f8aaed8eb199b77440ae0dc64658e4a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Jul 2020 13:23:18 +0200
Subject: [PATCH 2/2] update wording for rhel8 profile
---
rhel8/profiles/hipaa.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
index 8d20f9019c..0cb7fbed1f 100644
--- a/rhel8/profiles/hipaa.profile
+++ b/rhel8/profiles/hipaa.profile
@@ -12,6 +12,7 @@ description: |-
This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
Rule identified for securing of electronic protected health information.
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
selections:
- grub2_password

View File

@ -1,52 +0,0 @@
From 4c54b1cfb05961bde8248e03d27cabeca967e211 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 17 Aug 2020 10:59:15 +0200
Subject: [PATCH] Remove SCAP-1.3 SCAPVAL workarounds
These changes to the DS cause SRC-330 to fail in SCAPVAL-1.3.5.
In SCAPVAL-1.3.5 was fixed and these false positive workarounds are not
necessary anymore.
---
tests/run_scapval.py | 26 --------------------------
1 file changed, 26 deletions(-)
diff --git a/tests/run_scapval.py b/tests/run_scapval.py
index e1dd806ca1..bc2655b9fd 100755
--- a/tests/run_scapval.py
+++ b/tests/run_scapval.py
@@ -46,35 +46,9 @@ def process_results(result_path):
return ret_val
-def workaround_datastream(datastream_path):
- tree = ET.parse(datastream_path)
- root = tree.getroot()
- # group_id and user_id cannot be zero
- # tracked at https://github.com/OVAL-Community/OVAL/issues/23
- for group_id_element in root.findall(".//{%s}group_id" % oval_unix_ns):
- if group_id_element.text is not None:
- group_id_element.text = "-1"
- for user_id_element in root.findall(".//{%s}user_id" % oval_unix_ns):
- if user_id_element.text is not None:
- user_id_element.text = "-1"
- # OCIL checks for security_patches_up_to_date is causing fail
- # of SRC-377, when requirement is about OVAL checks.
- rule_id = "xccdf_org.ssgproject.content_rule_security_patches_up_to_date"
- for rule in root.findall(".//{%s}Rule[@id=\"%s\"]" % (xccdf_ns, rule_id)):
- for check in rule.findall("{%s}check" % xccdf_ns):
- system = check.get("system")
- if system == "http://scap.nist.gov/schema/ocil/2":
- rule.remove(check)
- output_path = datastream_path + ".workaround.xml"
- tree.write(output_path)
- return output_path
-
-
def test_datastream(datastream_path, scapval_path, scap_version):
result_path = datastream_path + ".result.xml"
report_path = datastream_path + ".report.html"
- if scap_version == "1.3":
- datastream_path = workaround_datastream(datastream_path)
scapval_command = [
"java",
"-Xmx1024m",

View File

@ -1,408 +0,0 @@
From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 8 Jul 2020 17:37:50 +0200
Subject: [PATCH 1/9] create rule, check, bash remediation
---
.../bash/shared.sh | 9 +++++
.../oval/shared.xml | 1 +
.../harden_openssl_crypto_policy/rule.yml | 33 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 2 --
4 files changed, 43 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
new file mode 100644
index 0000000000..9838a13c95
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
+
+cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
+
+#blank line at the begining to ease later readibility
+echo '' > "$file"
+echo "$cp" >> "$file"
+update-crypto-policies
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
new file mode 100644
index 0000000000..09199ce4da
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
@@ -0,0 +1 @@
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
new file mode 100644
index 0000000000..afbdb36a23
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Harden OpenSSL Crypto Policy'
+
+description: |-
+ Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
+ OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
+ This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
+ Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt> variable configured with predefined value.
+
+rationale: |-
+ The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 84286-4
+
+references:
+ nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
+ ospp : FCS_SSHS_EXT.1
+ srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
+
+ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
+
+ocil: |-
+ To verify if the OpenSSL uses defined Crypto Policy, run:
+ <pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>
+ and verify that the line matches
+ <pre>84285-6</pre>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index afc0d80417..01b321b6d5 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -904,8 +904,6 @@ CCE-84281-5
CCE-84282-3
CCE-84283-1
CCE-84284-9
-CCE-84285-6
-CCE-84286-4
CCE-84287-2
CCE-84288-0
CCE-84289-8
From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 8 Jul 2020 17:38:32 +0200
Subject: [PATCH 2/9] add tests
---
.../harden_openssl_crypto_policy/tests/correct.pass.sh | 7 +++++++
.../tests/correct_commented.fail.sh | 7 +++++++
.../tests/correct_followed_by_incorrect.fail.sh | 8 ++++++++
.../tests/empty_policy.fail.sh | 7 +++++++
.../tests/incorrect_followed_by_correct.pass.sh | 8 ++++++++
.../tests/incorrect_policy.fail.sh | 7 +++++++
.../tests/missing_file.fail.sh | 7 +++++++
7 files changed, 51 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
new file mode 100644
index 0000000000..9e59b30bd2
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
new file mode 100644
index 0000000000..91863849b3
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
new file mode 100644
index 0000000000..f44957d3e1
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
new file mode 100644
index 0000000000..5b14fe8ef4
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites=" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
new file mode 100644
index 0000000000..6be3bb2ffa
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
new file mode 100644
index 0000000000..b4fd0f97be
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
new file mode 100644
index 0000000000..2d11d227cb
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
+
+rm -f "$configfile"
From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 9 Jul 2020 09:05:38 +0200
Subject: [PATCH 3/9] remove blank line from remediation
---
.../crypto/harden_openssl_crypto_policy/bash/shared.sh | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
index 9838a13c95..be6f84f83d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
@@ -3,7 +3,6 @@
cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
-#blank line at the begining to ease later readibility
-echo '' > "$file"
+
echo "$cp" >> "$file"
update-crypto-policies
From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 9 Jul 2020 09:06:02 +0200
Subject: [PATCH 4/9] fix separator regex in oval
---
.../crypto/harden_openssl_crypto_policy/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
index 09199ce4da..37be62ee39 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
@@ -1 +1 @@
-{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}}
From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 9 Jul 2020 09:06:29 +0200
Subject: [PATCH 5/9] reformat rule, fix wrong ocil
---
.../harden_openssl_crypto_policy/rule.yml | 22 ++++++++++++++-----
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
index afbdb36a23..d019d6cd32 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -5,13 +5,23 @@ prodtype: rhel8
title: 'Harden OpenSSL Crypto Policy'
description: |-
- Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
- OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
- This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
- Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt> variable configured with predefined value.
+ Crypto Policies are means of enforcing certain cryptographic settings for
+ selected applications including OpenSSL. OPenSSL is by default configured to
+ modify its configuration based on currently configured Crypto-Policy.
+ However, in certain cases it might be needed to override the Crypto Policy
+ specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
+ be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
+ <tt>xxx</tt> with arbitrary identifier, into
+ <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
+ <tt>update-crypto-policies</tt> so that changes are applied. Changes are
+ propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>.
+ This rule checks if this file contains predefined <tt>Ciphersuites</tt>
+ variable configured with predefined value.
rationale: |-
- The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
+ The Common Criteria requirements specify that certain parameters for OpenSSL
+ are configured e.g. cipher suites. Currently particular requirements
+ specified by CC are stricter compared to any existing Crypto Policy.
severity: medium
@@ -30,4 +40,4 @@ ocil: |-
To verify if the OpenSSL uses defined Crypto Policy, run:
<pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>
and verify that the line matches
- <pre>84285-6</pre>
+ <pre>Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</pre>
From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 13 Jul 2020 09:49:34 +0200
Subject: [PATCH 6/9] update references
---
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
index d019d6cd32..075e381906 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -31,8 +31,8 @@ identifiers:
references:
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
- ospp : FCS_SSHS_EXT.1
- srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
+ ospp: FCS_TLSC_EXT.1.1
+ srg: SRG-OS-000250-GPOS-00093
ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 13 Jul 2020 09:49:48 +0200
Subject: [PATCH 7/9] add ansible remediation
---
.../ansible/shared.yml | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
new file mode 100644
index 0000000000..d5c2c2b9f7
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
@@ -0,0 +1,16 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config"
+ lineinfile:
+ path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config"
+ line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+ create: yes
+ insertafter: EOF
+
+- name: "Update system crypto policy for changes to take effect"
+ command:
+ cmd: "update-crypto-policies"
From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Wed, 15 Jul 2020 09:26:11 +0200
Subject: [PATCH 8/9] fix typos
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: Jan Černý <jcerny@redhat.com>
---
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
index 075e381906..ce0351aa34 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy'
description: |-
Crypto Policies are means of enforcing certain cryptographic settings for
- selected applications including OpenSSL. OPenSSL is by default configured to
- modify its configuration based on currently configured Crypto-Policy.
+ selected applications including OpenSSL. OpenSSL is by default configured to
+ modify its configuration based on currently configured Crypto Policy.
However, in certain cases it might be needed to override the Crypto Policy
- specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
+ specific to OpenSSL and leave rest of the Crypto Policy intact. This can
be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
<tt>xxx</tt> with arbitrary identifier, into
<tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 15 Jul 2020 09:36:06 +0200
Subject: [PATCH 9/9] update rule references
---
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
index ce0351aa34..0cbead2a6d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
@@ -30,8 +30,8 @@ identifiers:
references:
- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
+ nist: SC-8(1),SC-13
ospp: FCS_TLSC_EXT.1.1
- srg: SRG-OS-000250-GPOS-00093
+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223
ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'

View File

@ -1,48 +0,0 @@
From eb3a18cea5776038d0aeef0299083fcd282a0177 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 17 Aug 2020 15:56:40 +0200
Subject: [PATCH] Add a missing Crypto Policy rule to OSPP.
The rule fell out by mistake, this addition complements #4682
---
rhel8/profiles/ospp.profile | 1 +
tests/data/profile_stability/rhel8/ospp.profile | 1 +
tests/data/profile_stability/rhel8/stig.profile | 5 +++--
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 5b5b5b711a..a651885eef 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -235,6 +235,7 @@ selections:
- enable_fips_mode
- var_system_crypto_policy=fips_ospp
- configure_crypto_policy
+ - configure_ssh_crypto_policy
- configure_bind_crypto_policy
- configure_openssl_crypto_policy
- configure_libreswan_crypto_policy
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 5aa3592496..13c4e6b08d 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -62,6 +62,7 @@ selections:
- configure_kerberos_crypto_policy
- configure_libreswan_crypto_policy
- configure_openssl_crypto_policy
+- configure_ssh_crypto_policy
- configure_tmux_lock_after_time
- configure_tmux_lock_command
- configure_usbguard_auditbackend
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 9b164eb5c2..c7fe02169a 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -77,6 +77,7 @@ selections:
- configure_kerberos_crypto_policy
- configure_libreswan_crypto_policy
- configure_openssl_crypto_policy
+- configure_ssh_crypto_policy
- configure_tmux_lock_after_time
- configure_tmux_lock_command
- configure_usbguard_auditbackend

View File

@ -1,22 +0,0 @@
From 87e62e90df9995de6aca436e9242c0ac4d72e136 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 18 Aug 2020 13:55:12 +0200
Subject: [PATCH] Added SRG to configure_ssh_crypto_policy
https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2016-04-25/finding/V-56935
---
.../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index e2dd99dbb5..51788a3226 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -24,6 +24,7 @@ identifiers:
references:
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
cis@rhel8: 5.2.20
+ srg: SRG-OS-000250-GPOS-00093
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'

View File

@ -1,884 +0,0 @@
From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 25 Jun 2020 18:29:31 +0200
Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS
Instead of having each zIPL argument rule check for BLS compliance,
let's split into its own rule.
---
.../zipl_audit_argument/rule.yml | 6 -----
.../rule.yml | 6 -----
.../zipl_bls_entries_only/rule.yml | 24 +++++++++++++++++++
.../zipl_enable_selinux/rule.yml | 6 -----
.../zipl_page_poison_argument/rule.yml | 6 -----
.../zipl_pti_argument/rule.yml | 6 -----
.../zipl_slub_debug_argument/rule.yml | 6 -----
.../zipl_vsyscall_argument/rule.yml | 6 -----
8 files changed, 24 insertions(+), 42 deletions(-)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 2d31ef8ee7..1211a53295 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable audit,
@@ -30,10 +28,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable audit.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 40db232257..7d88e38686 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
new file mode 100644
index 0000000000..b6ccbb5343
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure all zIPL boot entries are BLS compliant'
+
+description: |-
+ Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
+ by checking that <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt>.
+
+rationale: |-
+ {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of
+ configuration.
+
+severity: medium
+
+ocil_clause: 'a non BLS boot entry is configured'
+
+ocil: |-
+ Check that no boot image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 8d28d5495f..1c3bfeb246 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -8,8 +8,6 @@ description: |-
To ensure SELinux is not disabled at boot time,
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
rationale: |-
@@ -27,10 +25,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that disables SELinux.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 0a8e9a41e2..6dbfd501b7 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of free pages,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
To ensure that new kernels and boot entries continue to enable page poisoning,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 20c1448cc8..555fdf2b66 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable Kernel page-table isolation,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable page-table isolation,
@@ -30,10 +28,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 54ac688ea0..dd7865bf81 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not enable poisoning.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index c5979a2016..18b7ade460 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To disable use of virtual syscalls,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to disable virtual syscalls,
@@ -28,10 +26,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 09:52:39 +0200
Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests
---
.../zipl_bls_entries_only/oval/shared.xml | 27 +++++++++++++++++++
.../tests/image_configured.fail.sh | 6 +++++
.../tests/no_image.pass.sh | 7 +++++
3 files changed, 40 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
new file mode 100644
index 0000000000..41e9773814
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -0,0 +1,27 @@
+<def-group>
+ <definition class="compliance" id="zipl_bls_entries_only" version="1">
+ <metadata>
+ <title>Ensure zIPL entries are BLS compliant</title>
+ {{{- oval_affected(products) }}}
+ <description>Check if /etc/zipl.conf configures any boot entry</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_zipl_bls_entries_only"
+ comment="Test presence of image configuration in /etc/zipl.conf" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test id="test_zipl_bls_entries_only"
+ comment="Test presence of image configuration in /etc/zipl.conf"
+ check="all" check_existence="none_exist" version="1">
+ <ind:object object_ref="object_zipl_bls_entries_only" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
+ version="1">
+ <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+ <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
new file mode 100644
index 0000000000..e3adb99638
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure no image configured in zipl config file
+echo 'image = /boot/image' >> /etc/zipl.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
new file mode 100644
index 0000000000..47626442f6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure no image configured in zipl config file
+sed -Ei '/^image\s*=/d' /etc/zipl.conf
+true
From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 11:09:08 +0200
Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning
Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
is tricky and can lead to broken entries or removal of all of them.
---
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index b6ccbb5343..f792c5257f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -22,3 +22,8 @@ ocil: |-
No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
platform: machine
+
+warnings:
+ - general: |-
+ To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
+ automated remediation for this rule is not available.
From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 25 Jun 2020 18:51:04 +0200
Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap
Instead of having each zIPL argument rule check if zIPL bootmap is up to
date, let's split it into its own rule.
---
.../zipl_audit_argument/rule.yml | 6 -----
.../rule.yml | 7 -----
.../zipl_bootmap_is_up_to_date/rule.yml | 27 +++++++++++++++++++
.../zipl_enable_selinux/rule.yml | 6 -----
.../zipl_page_poison_argument/rule.yml | 7 -----
.../zipl_pti_argument/rule.yml | 7 -----
.../zipl_slub_debug_argument/rule.yml | 7 -----
.../zipl_vsyscall_argument/rule.yml | 7 -----
8 files changed, 27 insertions(+), 47 deletions(-)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 1211a53295..624b4e7041 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -8,7 +8,6 @@ description: |-
To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable audit,
add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -28,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable audit.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 7d88e38686..faf114591a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
new file mode 100644
index 0000000000..082562d11e
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure zIPL bootmap is up to date'
+
+description: |-
+ Make sure that <tt>/boot/bootmap</tt> is up to date.<br />
+ Every time a boot entry or zIPL configuration is changed <tt>/boot/bootmap</tt> needs to
+ be updated to reflect the changes.<br />
+ Run <tt>zipl</tt> command to generate an updated <tt>/boot/bootmap</tt>.
+
+rationale: |-
+ The file <tt>/boot/bootmap</tt> contains all boot data, keeping it up to date is crucial to
+ boot correct kernel and options.
+
+severity: medium
+
+ocil_clause: 'the bootmap is outdated'
+
+ocil: |-
+ Make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> is outdated and needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 1c3bfeb246..b0bc0fc374 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -8,7 +8,6 @@ description: |-
To ensure SELinux is not disabled at boot time,
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
rationale: |-
Disabling a major host protection feature, such as SELinux, at boot time prevents
@@ -25,9 +24,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that disables SELinux.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 6dbfd501b7..866664c01b 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of free pages,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
-
To ensure that new kernels and boot entries continue to enable page poisoning,
add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 555fdf2b66..2f02d9668c 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable Kernel page-table isolation,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to enable page-table isolation,
add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -28,9 +26,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index dd7865bf81..0cb10d3cd8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not enable poisoning.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 18b7ade460..f79adeb083 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To disable use of virtual syscalls,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to disable virtual syscalls,
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -26,9 +24,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 15:59:31 +0200
Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check
---
.../oval/shared.xml | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
new file mode 100644
index 0000000000..6c446cbe59
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+ <definition class="compliance" id="zipl_bootmap_is_up_to_date" version="1">
+ <metadata>
+ <title>Ensure zIPL bootmap is up to date</title>
+ {{{- oval_affected(products) }}}
+ <description>Check if /boot/bootmap is up to date</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_zipl_bootmap_is_up_to_date"
+ comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="all_exist" id="test_zipl_bootmap_is_up_to_date" version="1" comment="Check /boot/bootmap timestamps">
+ <unix:object object_ref="object_zipl_boot_bootmap_file" />
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_zipl_conf" />
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_boot_entries" />
+ </unix:file_test>
+
+ <unix:file_object id="object_zipl_boot_bootmap_file" comment="current bootmap state" version="1">
+ <unix:filepath>/boot/bootmap</unix:filepath>
+ </unix:file_object>
+
+ <!-- Newer means modified more recently, which means more seconds since epoch -->
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_zipl_conf" version="1">
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
+ var_ref="variable_zipl_conf_file_age" />
+ </unix:file_state>
+ <local_variable id="variable_zipl_conf_file_age" version="1" comment="Age of /etc/zipl.conf" datatype="int">
+ <object_component object_ref="zipl_conf_file" item_field="m_time"/>
+ </local_variable>
+ <unix:file_object id="zipl_conf_file" comment="/etc/zipl.conf state" version="1">
+ <unix:filepath datatype="string">/etc/zipl.conf</unix:filepath>
+ </unix:file_object>
+
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_boot_entries" version="1">
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
+ var_ref="variable_boot_entry_files_age" />
+ </unix:file_state>
+ <local_variable id="variable_boot_entry_files_age" version="1" comment="Age of /boot/loader/entries/*.conf files" datatype="int">
+ <object_component object_ref="boot_entry_files" item_field="m_time"/>
+ </local_variable>
+ <unix:file_object id="boot_entry_files" comment="/boot/loader/entries/*.conf states" version="1">
+ <unix:filepath datatype="string" operation="pattern match">^/boot/loader/entries/.*\.conf$</unix:filepath>
+ </unix:file_object>
+</def-group>
From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 16:15:35 +0200
Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests
These tests mock existence of zIPL files.
---
.../tests/newer_boot_entry.fail.sh | 10 ++++++++++
.../tests/newer_zipl_conf.fail.sh | 10 ++++++++++
.../tests/up_to_date.pass.sh | 9 +++++++++
3 files changed, 29 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
new file mode 100644
index 0000000000..728c6b7bdb
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /etc/zipl.conf
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/bootmap
+sleep 2
+touch /boot/loader/entries/zipl-entry-2.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
new file mode 100644
index 0000000000..1ae4d631ee
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/loader/entries/zipl-entry-2.conf
+touch /boot/bootmap
+sleep 2
+touch /etc/zipl.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
new file mode 100644
index 0000000000..7981ba8c5c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /etc/zipl.conf
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/loader/entries/zipl-entry-2.conf
+touch /boot/bootmap
From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 3 Jul 2020 18:35:06 +0200
Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations
---
.../ansible/shared.yml | 24 +++++++++++++++++++
.../zipl_bootmap_is_up_to_date/bash/shared.sh | 3 +++
2 files changed, 27 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
new file mode 100644
index 0000000000..e545eacc13
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
@@ -0,0 +1,24 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: "Ensure zIPL bootmap is up to date"
+ block:
+ - name: "Obtain stats of /boot/bootmap"
+ stat:
+ path: /boot/bootmap
+ register: boot_bootmap
+
+ - name: "Obtain stats of /etc/zipl.conf"
+ stat:
+ path: /etc/zipl.conf
+ register: zipl_conf
+
+ # TODO: handle /boot/loader/entries/*.conf
+
+ - name: "Update zIPL bootmap"
+ command: /usr/sbin/zipl
+ changed_when: True
+ when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
new file mode 100644
index 0000000000..2cf7e388f0
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = Red Hat Enterprise Linux 8
+
+/usr/bin/zipl
From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Jul 2020 17:16:41 +0200
Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile
---
rhel8/profiles/ospp.profile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 07d32b814d..80e4b71fff 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -415,3 +415,7 @@ selections:
- ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
+
+ # zIPl specific rules
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:03:21 +0200
Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation
---
.../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
index 2cf7e388f0..2310ca060d 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
@@ -1,3 +1,3 @@
# platform = Red Hat Enterprise Linux 8
-/usr/bin/zipl
+/usr/sbin/zipl
From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:06:22 +0200
Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces
There can be leading spaces before 'image'.
---
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
index 41e9773814..f68d91c128 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -20,7 +20,7 @@
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
version="1">
<ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
- <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:10:22 +0200
Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf
There is no need to perform pattern match, the check just needs to
examine /etc/zipl.conf file.
---
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
index f68d91c128..1ebf03ee37 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -19,7 +19,7 @@
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
version="1">
- <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+ <ind:filepath operation="equals">/etc/zipl.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:13:26 +0200
Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules
Add RHEL-8 CCE identifiers for:
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
---
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++
.../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index f792c5257f..67cc061ce3 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -14,6 +14,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83485-3
+
ocil_clause: 'a non BLS boot entry is configured'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
index 082562d11e..da9411d00b 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -16,6 +16,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83486-1
+
ocil_clause: 'the bootmap is outdated'
ocil: |-
From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:16:58 +0200
Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test
Update the profile reference file.
---
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index b0d7672c36..08dcccf24c 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -213,6 +213,8 @@ selections:
- sysctl_user_max_user_namespaces
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
+- zipl_bls_entries_only
+- zipl_bootmap_is_up_to_date
- var_sshd_set_keepalive=0
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 15:28:09 +0200
Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile
The zIPL rules are inherited from OSPP profile
---
rhel8/profiles/stig.profile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 8f12852e26..cfc2160be1 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -45,3 +45,7 @@ selections:
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
- "!ssh_client_rekey_limit"
+
+ # Unselect zIPL rules from OSPP
+ - "!zipl_bls_entries_only"
+ - "!zipl_bootmap_is_up_to_date"

View File

@ -1,209 +0,0 @@
From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:31:59 +0200
Subject: [PATCH 1/3] modify rule description and ocil
---
.../selinux_all_devicefiles_labeled/rule.yml | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
index 765fca583e..1667557740 100644
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux'
description: |-
Device files, which are used for communication with important system
- resources, should be labeled with proper SELinux types. If any device
- files do not carry the SELinux type <tt>device_t</tt>, report the bug so
- that policy can be corrected. Supply information about what the device is
- and what programs use it.
+ resources, should be labeled with proper SELinux types. If any device files
+ carry the SELinux type <tt>device_t</tt> or <tt>unlabeled_t</tt>, report the
+ bug so that policy can be corrected. Supply information about what the
+ device is and what programs use it.
<br /><br />
- To check for unlabeled device files, run the following command:
+ To check for incorrectly labeled device files, run following commands:
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
+ <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
It should produce no output in a well-configured system.
rationale: |-
- If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
- cannot properly restrict access to the device file.
+ If a device file carries the SELinux type <tt>device_t</tt> or
+ <tt>unlabeled_t</tt>, then SELinux cannot properly restrict access to the
+ device file.
severity: medium
@@ -45,8 +47,9 @@ references:
ocil_clause: 'there is output'
ocil: |-
- To check for unlabeled device files, run the following command:
+ To check for incorrectly labeled device files, run following commands:
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
+ <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
It should produce no output in a well-configured system.
warnings:
From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:32:57 +0200
Subject: [PATCH 2/3] updated oval to check only device files
---
.../oval/shared.xml | 64 +++++++++++++------
1 file changed, 43 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
index 51b68008af..7dcfb98577 100644
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
@@ -2,32 +2,54 @@
<definition class="compliance" id="selinux_all_devicefiles_labeled" version="1">
<metadata>
<title>Device Files Have Proper SELinux Context</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- <platform>Red Hat Enterprise Linux 7</platform>
- <platform>Red Hat Enterprise Linux 8</platform>
- <platform>Red Hat Virtualization 4</platform>
- <platform>multi_platform_fedora</platform>
- <platform>multi_platform_ol</platform>
- <platform>multi_platform_wrlinux</platform>
- </affected>
- <description>All device files in /dev should be assigned an SELinux security context other than 'device_t'.</description>
+ {{{- oval_affected(products) }}}
+ <description>All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.</description>
</metadata>
- <criteria>
- <criterion comment="device_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" />
+ <criteria operator="AND">
+ <criterion comment="device_t in /dev" test_ref="test_selinux_dev_device_t" />
+ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_dev_unlabeled_t" />
</criteria>
</definition>
- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_all_devicefiles_labeled" version="2">
- <linux:object object_ref="object_selinux_all_devicefiles_labeled" />
- <linux:state state_ref="state_selinux_all_devicefiles_labeled" />
+
+ <!-- collect all special files from /dev directory -->
+ <unix:file_object id="object_dev_device_files" comment="device files within /dev directory" version="1">
+ <unix:behaviors recurse_direction="down" />
+ <unix:path operation="equals">/dev</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_block_or_char_device_file</filter>
+ </unix:file_object>
+
+ <unix:file_state id="state_block_or_char_device_file" version="1" comment="device files" >
+ <unix:type operation="pattern match">^(block|character) special$</unix:type>
+ </unix:file_state>
+
+ <local_variable id="variable_dev_device_files" comment="all device files within /dev directory" datatype="string" version="1">
+ <object_component object_ref="object_dev_device_files" item_field="filepath" />
+ </local_variable>
+
+
+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_dev_device_t" version="2">
+ <linux:object object_ref="object_selinux_dev_device_t" />
+ <linux:state state_ref="state_selinux_dev_device_t" />
</linux:selinuxsecuritycontext_test>
- <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1">
- <linux:behaviors recurse_direction="down" />
- <linux:path>/dev</linux:path>
- <linux:filename operation="pattern match">^.*$</linux:filename>
- <filter action="include">state_selinux_all_devicefiles_labeled</filter>
+ <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_dev_device_t" version="1">
+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
+ <filter action="include">state_selinux_dev_device_t</filter>
</linux:selinuxsecuritycontext_object>
- <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1">
+ <linux:selinuxsecuritycontext_state comment="device_t label" id="state_selinux_dev_device_t" version="1">
<linux:type datatype="string" operation="equals">device_t</linux:type>
</linux:selinuxsecuritycontext_state>
+
+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_dev_unlabeled_t" version="2">
+ <linux:object object_ref="object_selinux_dev_unlabeled_t" />
+ <linux:state state_ref="state_selinux_dev_unlabeled_t" />
+ </linux:selinuxsecuritycontext_test>
+ <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_dev_unlabeled_t" version="1">
+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
+ <filter action="include">state_selinux_dev_unlabeled_t</filter>
+ </linux:selinuxsecuritycontext_object>
+ <linux:selinuxsecuritycontext_state comment="unlabeled_t label" id="state_selinux_dev_unlabeled_t" version="1">
+ <linux:type datatype="string" operation="equals">unlabeled_t</linux:type>
+ </linux:selinuxsecuritycontext_state>
+
</def-group>
From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:33:26 +0200
Subject: [PATCH 3/3] add tests
---
.../tests/block_device_device_t.fail.sh | 4 ++++
.../tests/char_device_unlabeled_t.fail.sh | 14 ++++++++++++++
.../tests/regular_file_device_t.pass.sh | 4 ++++
.../tests/symlink_with_wrong_label.pass.sh | 4 ++++
4 files changed, 26 insertions(+)
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
new file mode 100644
index 0000000000..08c4142e5b
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mknod /dev/foo b 1 5
+chcon -t device_t /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
new file mode 100644
index 0000000000..1da85c2034
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# selinux does not allow unlabeled_t in /dev
+# we have to modify the selinux policy to allow that
+
+echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil
+semodule -i /tmp/unlabeled_t.cil
+
+mknod /dev/foo c 1 5
+chcon -t unlabeled_t /dev/foo
+
+
+mknod /dev/foo c 1 5
+chcon -t device_t /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
new file mode 100644
index 0000000000..d161951d7a
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /dev/foo
+restorecon -F /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
new file mode 100644
index 0000000000..a8280bf37e
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+ln -s /dev/cpu /dev/foo
+restorecon -F /dev/foo

View File

@ -1,280 +0,0 @@
From 844be904d8de624abe9bbe620d7a06417dfff842 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 27 Aug 2020 13:19:01 +0200
Subject: [PATCH 1/5] Align Ansible task applicability with CPE platform
Adds a when clause to Ansible snippets of rules with Package CPE platform.
If the when clause is added, a fact_packages Task needs to added as
well.
---
ssg/build_remediations.py | 52 ++++++++++++++++++++++++++++++++++++---
1 file changed, 49 insertions(+), 3 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index a9ef3014ac..597aed5889 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -6,8 +6,7 @@
import os.path
import re
import codecs
-from collections import defaultdict, namedtuple
-
+from collections import defaultdict, namedtuple, OrderedDict
import ssg.yaml
from . import build_yaml
@@ -343,11 +342,46 @@ def _get_rule_reference(self, ref_class):
else:
return []
+ def inject_package_facts_task(self, parsed_snippet):
+ """ Injects a package_facts task only if
+ the snippet has a task with a when clause with ansible_facts.packages,
+ and the snippet doesn't already have an package_facts task
+ """
+ has_package_facts_task = False
+ has_ansible_facts_packages_clause = False
+
+ for p_task in parsed_snippet:
+ # We are only interested in the OrderedDicts, which represent Ansible tasks
+ if not isinstance(p_task, dict):
+ continue
+
+ if "package_facts" in p_task:
+ has_package_facts_task = True
+
+ if "ansible_facts.packages" in p_task.get("when", ""):
+ has_ansible_facts_packages_clause = True
+
+ if has_ansible_facts_packages_clause and not has_package_facts_task:
+ facts_task = OrderedDict({'name': 'Gather the package facts',
+ 'package_facts': {'manager': 'auto'}})
+ parsed_snippet.insert(0, facts_task)
+
def update_when_from_rule(self, to_update):
additional_when = ""
- if self.associated_rule.platform == "machine":
- additional_when = ('ansible_virtualization_role != "guest" '
- 'or ansible_virtualization_type != "docker"')
+ rule_platform = self.associated_rule.platform
+ if rule_platform == "machine":
+ additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
+ elif rule_platform is not None:
+ # Assume any other platform is a Package CPE
+
+ # It doesn't make sense to add a conditional on the task that
+ # gathers data for the conditional
+ if "package_facts" in to_update:
+ return
+
+ additional_when = '"' + rule_platform + '" in ansible_facts.packages'
+ # After adding the conditional, we need to make sure package_facts are collected.
+ # This is done via inject_package_facts_task()
to_update.setdefault("when", "")
new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
if not new_when:
@@ -355,10 +390,21 @@ def update_when_from_rule(self, to_update):
to_update["when"] = new_when
def update(self, parsed, config):
+ # We split the remediation update in three steps
+
+ # 1. Update the when clause
for p in parsed:
if not isinstance(p, dict):
continue
self.update_when_from_rule(p)
+
+ # 2. Inject any extra task necessary
+ self.inject_package_facts_task(parsed)
+
+ # 3. Add tags to all tasks, including the ones we have injected
+ for p in parsed:
+ if not isinstance(p, dict):
+ continue
self.update_tags_from_config(p, config)
self.update_tags_from_rule(p)
From 60e5723e0e35ec8d79bafdd113f04691e61738e7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 27 Aug 2020 17:09:06 +0200
Subject: [PATCH 2/5] Add inherited_platform to Rule
This field is exported to the rule when it is resolved.
---
ssg/build_yaml.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index 4ba114eee4..fe290ffc05 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -832,6 +832,7 @@ class Rule(object):
"conflicts": lambda: list(),
"requires": lambda: list(),
"platform": lambda: None,
+ "inherited_platforms": lambda: list(),
"template": lambda: None,
}
@@ -851,6 +852,7 @@ def __init__(self, id_):
self.requires = []
self.conflicts = []
self.platform = None
+ self.inherited_platforms = [] # platforms inherited from the group
self.template = None
@classmethod
@@ -1293,6 +1295,9 @@ def _process_rules(self):
continue
self.all_rules.add(rule)
self.loaded_group.add_rule(rule)
+
+ rule.inherited_platforms.append(self.loaded_group.platform)
+
if self.resolved_rules_dir:
output_for_rule = os.path.join(
self.resolved_rules_dir, "{id_}.yml".format(id_=rule.id_))
From 3a0bb0d2981670e90a8eaca53b28e1a6f7cc29d6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 27 Aug 2020 17:21:35 +0200
Subject: [PATCH 3/5] Add when clauses for inherited platforms too
Consider the Rule's Group platform while including 'when' clauses to
Ansible snippets.
Some rules have two platforms, a machine platform and a package
platform. One of them is represented of the Rule, and the other is
represented in the Rule's Group.
The platforms are organized like this to due limiation in XCCDF,
multiple platforms in a Rule are ORed, not ANDed.
---
ssg/build_remediations.py | 44 ++++++++++++++++++++++++---------------
1 file changed, 27 insertions(+), 17 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 597aed5889..a2a996d0af 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -358,8 +358,13 @@ def inject_package_facts_task(self, parsed_snippet):
if "package_facts" in p_task:
has_package_facts_task = True
- if "ansible_facts.packages" in p_task.get("when", ""):
- has_ansible_facts_packages_clause = True
+ # When clause of the task can be string or a list, lets normalize to list
+ task_when = p_task.get("when", "")
+ if type(task_when) is str:
+ task_when = [ task_when ]
+ for when in task_when:
+ if "ansible_facts.packages" in when:
+ has_ansible_facts_packages_clause = True
if has_ansible_facts_packages_clause and not has_package_facts_task:
facts_task = OrderedDict({'name': 'Gather the package facts',
@@ -367,21 +372,26 @@ def inject_package_facts_task(self, parsed_snippet):
parsed_snippet.insert(0, facts_task)
def update_when_from_rule(self, to_update):
- additional_when = ""
- rule_platform = self.associated_rule.platform
- if rule_platform == "machine":
- additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
- elif rule_platform is not None:
- # Assume any other platform is a Package CPE
-
- # It doesn't make sense to add a conditional on the task that
- # gathers data for the conditional
- if "package_facts" in to_update:
- return
-
- additional_when = '"' + rule_platform + '" in ansible_facts.packages'
- # After adding the conditional, we need to make sure package_facts are collected.
- # This is done via inject_package_facts_task()
+ additional_when = []
+
+ rule_platforms = set([self.associated_rule.platform] +
+ self.associated_rule.inherited_platforms)
+
+ for platform in rule_platforms:
+ if platform == "machine":
+ additional_when.append('ansible_virtualization_type not in ["docker", "lxc", "openvz"]')
+ elif platform is not None:
+ # Assume any other platform is a Package CPE
+
+ # It doesn't make sense to add a conditional on the task that
+ # gathers data for the conditional
+ if "package_facts" in to_update:
+ continue
+
+ additional_when.append('"' + platform + '" in ansible_facts.packages')
+ # After adding the conditional, we need to make sure package_facts are collected.
+ # This is done via inject_package_facts_task()
+
to_update.setdefault("when", "")
new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
if not new_when:
From 99c92e39bccc3fcfadca41096e66ca146137b207 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 31 Aug 2020 16:06:14 +0200
Subject: [PATCH 4/5] Improve inherihted and rule's platforms handling
Add a quick comment too.
---
ssg/build_remediations.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index a2a996d0af..9e622ef740 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -374,8 +374,9 @@ def inject_package_facts_task(self, parsed_snippet):
def update_when_from_rule(self, to_update):
additional_when = []
- rule_platforms = set([self.associated_rule.platform] +
- self.associated_rule.inherited_platforms)
+ # There can be repeated inherited platforms and rule platforms
+ rule_platforms = set(self.associated_rule.inherited_platforms)
+ rule_platforms.add(self.associated_rule.platform)
for platform in rule_platforms:
if platform == "machine":
From 596da9993edfbd244cbaa6d797abbd68b2e82185 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 31 Aug 2020 16:10:53 +0200
Subject: [PATCH 5/5] Code style and grammar changes
---
ssg/build_remediations.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 9e622ef740..866450dd8c 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -345,7 +345,7 @@ def _get_rule_reference(self, ref_class):
def inject_package_facts_task(self, parsed_snippet):
""" Injects a package_facts task only if
the snippet has a task with a when clause with ansible_facts.packages,
- and the snippet doesn't already have an package_facts task
+ and the snippet doesn't already have a package_facts task
"""
has_package_facts_task = False
has_ansible_facts_packages_clause = False
@@ -361,7 +361,7 @@ def inject_package_facts_task(self, parsed_snippet):
# When clause of the task can be string or a list, lets normalize to list
task_when = p_task.get("when", "")
if type(task_when) is str:
- task_when = [ task_when ]
+ task_when = [task_when]
for when in task_when:
if "ansible_facts.packages" in when:
has_ansible_facts_packages_clause = True

View File

@ -1,241 +0,0 @@
From c05cce1a4a5eb95be857b07948fda0c95cdaa106 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Sep 2020 14:36:07 +0200
Subject: [PATCH 1/5] Align Bash applicability with CPE platform
Wraps the remediation of rules with Packager CPE Platform
with an if condition that checks for the respective
platforms's package.
---
ssg/build_remediations.py | 45 +++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index ccbdf9fc1f..2d4a805e78 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -27,6 +27,13 @@
'kubernetes': '.yml'
}
+PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
+ 'apt_get': 'dpkg-query -s {} &>/dev/null',
+ 'dnf': 'rpm --quiet -q {}',
+ 'yum': 'rpm --quiet -q {}',
+ 'zypper': 'rpm --quiet -q {}',
+}
+
FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot',
@@ -262,6 +269,44 @@ class BashRemediation(Remediation):
def __init__(self, file_path):
super(BashRemediation, self).__init__(file_path, "bash")
+ def parse_from_file_with_jinja(self, env_yaml):
+ self.local_env_yaml.update(env_yaml)
+ result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
+
+ # There can be repeated inherited platforms and rule platforms
+ rule_platforms = set(self.associated_rule.inherited_platforms)
+ rule_platforms.add(self.associated_rule.platform)
+
+ platform_conditionals = []
+ for platform in rule_platforms:
+ if platform == "machine":
+ # Based on check installed_env_is_a_container
+ platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]')
+ elif platform is not None:
+ # Assume any other platform is a Package CPE
+
+ # Some package names are different from the platform names
+ if platform in self.local_env_yaml["platform_package_overrides"]:
+ platform = self.local_env_yaml["platform_package_overrides"].get(platform)
+
+ # Adjust package check command according to the pkg_manager
+ pkg_manager = self.local_env_yaml["pkg_manager"]
+ pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager]
+ platform_conditionals.append(pkg_check_command.format(platform))
+
+ if platform_conditionals:
+ platform_fix_text = "# Remediation is applicable only in certain platforms\n"
+
+ cond = platform_conditionals.pop(0)
+ platform_fix_text += "if {}".format(cond)
+ for cond in platform_conditionals:
+ platform_fix_text += " && {}".format(cond)
+ platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
+
+ remediation = namedtuple('remediation', ['contents', 'config'])
+ result = remediation(contents=platform_fix_text, config=result.config)
+
+ return result
class AnsibleRemediation(Remediation):
def __init__(self, file_path):
From 19e0c3b709e091159655d37b8ce5d693750f0a81 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Sep 2020 14:41:01 +0200
Subject: [PATCH 2/5] Handle Bash platform wrapping in xccdf expansion
Adjust expansion of subs and variables not to remove the whole beginning
of the fix test. This was removing the package conditional wrapping.
---
ssg/build_remediations.py | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 2d4a805e78..49ec557000 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -736,14 +736,16 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
patcomp = re.compile(pattern, re.DOTALL)
fixparts = re.split(patcomp, fix.text)
if fixparts[0] is not None:
- # Split the portion of fix.text from fix start to first call of
- # remediation function, keeping only the third part:
- # * tail to hold part of the fix.text after inclusion,
- # but before first call of remediation function
+ # Split the portion of fix.text at the string remediation_functions,
+ # and remove preceeding comment whenever it is there.
+ # * head holds part of the fix.text before
+ # remediation_functions string
+ # * tail holds part of the fix.text after the
+ # remediation_functions string
try:
- rfpattern = '(.*remediation_functions)(.*)'
- rfpatcomp = re.compile(rfpattern, re.DOTALL)
- _, _, tail, _ = re.split(rfpatcomp, fixparts[0], maxsplit=2)
+ rfpattern = r'((?:# Include source function library\.\n)?.*remediation_functions)'
+ rfpatcomp = re.compile(rfpattern)
+ head, _, tail = re.split(rfpatcomp, fixparts[0], maxsplit=1)
except ValueError:
sys.stderr.write("Processing fix.text for: %s rule\n"
% fix.get('rule'))
@@ -751,9 +753,10 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
"after inclusion of remediation functions."
" Aborting..\n")
sys.exit(1)
- # If the 'tail' is not empty, make it new fix.text.
+ # If the 'head' is not empty, make it new fix.text.
# Otherwise use ''
- fix.text = tail if tail is not None else ''
+ fix.text = head if head is not None else ''
+ fix.text += tail if tail is not None else ''
# Drop the first element of 'fixparts' since it has been processed
fixparts.pop(0)
# Perform sanity check on new 'fixparts' list content (to continue
From 1292b93dc35a9a308464f1effb7f10f8de6db457 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Sep 2020 20:56:17 +0200
Subject: [PATCH 3/5] Check if remediation has associated rule before use
---
ssg/build_remediations.py | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 49ec557000..85f7139d8f 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -273,9 +273,11 @@ def parse_from_file_with_jinja(self, env_yaml):
self.local_env_yaml.update(env_yaml)
result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
- # There can be repeated inherited platforms and rule platforms
- rule_platforms = set(self.associated_rule.inherited_platforms)
- rule_platforms.add(self.associated_rule.platform)
+ rule_platforms = set()
+ if self.associated_rule:
+ # There can be repeated inherited platforms and rule platforms
+ rule_platforms.update(self.associated_rule.inherited_platforms)
+ rule_platforms.add(self.associated_rule.platform)
platform_conditionals = []
for platform in rule_platforms:
From 7953a02e61bb56b501c56f46972247751292dcbb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Sep 2020 10:59:43 +0200
Subject: [PATCH 4/5] Fix python2 compat and improve code readability
---
ssg/build_remediations.py | 29 ++++++++++++++++++-----------
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 85f7139d8f..673d6d0cc6 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -28,10 +28,10 @@
}
PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
- 'apt_get': 'dpkg-query -s {} &>/dev/null',
- 'dnf': 'rpm --quiet -q {}',
- 'yum': 'rpm --quiet -q {}',
- 'zypper': 'rpm --quiet -q {}',
+ 'apt_get': 'dpkg-query -s {0} &>/dev/null',
+ 'dnf': 'rpm --quiet -q {0}',
+ 'yum': 'rpm --quiet -q {0}',
+ 'zypper': 'rpm --quiet -q {0}',
}
FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
@@ -297,16 +297,23 @@ def parse_from_file_with_jinja(self, env_yaml):
platform_conditionals.append(pkg_check_command.format(platform))
if platform_conditionals:
- platform_fix_text = "# Remediation is applicable only in certain platforms\n"
+ wrapped_fix_text = ["# Remediation is applicable only in certain platforms"]
- cond = platform_conditionals.pop(0)
- platform_fix_text += "if {}".format(cond)
- for cond in platform_conditionals:
- platform_fix_text += " && {}".format(cond)
- platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
+ all_conditions = " && ".join(platform_conditionals)
+ wrapped_fix_text.append("if {0}; then".format(all_conditions))
+
+ # Avoid adding extra blank line
+ if not result.contents.startswith("\n"):
+ wrapped_fix_text.append("")
+
+ wrapped_fix_text.append("{0}".format(result.contents))
+ wrapped_fix_text.append("")
+ wrapped_fix_text.append("else")
+ wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'")
+ wrapped_fix_text.append("fi")
remediation = namedtuple('remediation', ['contents', 'config'])
- result = remediation(contents=platform_fix_text, config=result.config)
+ result = remediation(contents="\n".join(wrapped_fix_text), config=result.config)
return result
From 0bd3912651367c64789bb3d67b44c3b8848708c0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Sep 2020 17:25:27 +0200
Subject: [PATCH 5/5] Document the perils of indenting wrapped Bash fixes
---
ssg/build_remediations.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 673d6d0cc6..f269d4d2d6 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -306,6 +306,9 @@ def parse_from_file_with_jinja(self, env_yaml):
if not result.contents.startswith("\n"):
wrapped_fix_text.append("")
+ # It is possible to indent the original body of the remediation with textwrap.indent(),
+ # however, it is not supported by python2, and there is a risk of breaking remediations
+ # For example, remediations with a here-doc block could be affected.
wrapped_fix_text.append("{0}".format(result.contents))
wrapped_fix_text.append("")
wrapped_fix_text.append("else")

View File

@ -1,203 +0,0 @@
From 7c0b04c157374e9251360d1d5e12a9e00dd4375e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 09:50:54 +0200
Subject: [PATCH 1/3] Introduce platform_package_overrides
Introduce a mapping of CPE package platform name to a package name.
Each linux distro or version may have its specific name for a package,
this mapping allows a product to override the package name of a
platorm.
By default, it assumes that the package name will be the same as the
platform name.
---
rhel8/product.yml | 7 +++++++
ssg/build_remediations.py | 3 +++
2 files changed, 10 insertions(+)
diff --git a/rhel8/product.yml b/rhel8/product.yml
index 6cdc51919e..6b5b4e2748 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -18,3 +18,10 @@ aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ grub2: "grub2-pc"
+ login_defs: "shadow-utils"
+ sssd: "sssd-common"
+ zipl: "s390x-utils"
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 866450dd8c..ccbdf9fc1f 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -389,6 +389,9 @@ def update_when_from_rule(self, to_update):
if "package_facts" in to_update:
continue
+ if platform in self.local_env_yaml["platform_package_overrides"]:
+ platform = self.local_env_yaml["platform_package_overrides"].get(platform)
+
additional_when.append('"' + platform + '" in ansible_facts.packages')
# After adding the conditional, we need to make sure package_facts are collected.
# This is done via inject_package_facts_task()
From 10dc62084cf8e38be9189b527c3b99b545826091 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 14:42:57 +0200
Subject: [PATCH 2/3] Move platform to cpe mappings to ssg/constants
---
rhel8/product.yml | 6 ------
ssg/constants.py | 8 ++++++++
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/rhel8/product.yml b/rhel8/product.yml
index 6b5b4e2748..d839b23231 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -19,9 +19,3 @@ aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
-# Mapping of CPE platform to package
-platform_package_overrides:
- grub2: "grub2-pc"
- login_defs: "shadow-utils"
- sssd: "sssd-common"
- zipl: "s390x-utils"
diff --git a/ssg/constants.py b/ssg/constants.py
index 3f9d7d37ce..7e9678241c 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -501,6 +501,14 @@
"zipl": "cpe:/a:zipl",
}
+# Default platform to package mapping
+XCCDF_PLATFORM_TO_PACKAGE = {
+ "grub2": "grub2-pc",
+ "login_defs": "login",
+ "sssd": "sssd-common",
+ "zipl": "s390x-utils",
+}
+
# _version_name_map = {
MAKEFILE_ID_TO_PRODUCT_MAP = {
'chromium': 'Google Chromium Browser',
From feb012f06adae989138be15431020f2c174becc4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 14:47:29 +0200
Subject: [PATCH 3/3] Allow override of default platform package mapping
With default platform to package mappings defined, we need to allow a
product to override it if needed.
---
rhel6/product.yml | 4 ++++
rhel7/product.yml | 4 ++++
rhel8/product.yml | 3 +++
rhosp10/product.yml | 3 +++
rhosp13/product.yml | 4 ++++
rhv4/product.yml | 4 ++++
ssg/yaml.py | 6 +++++-
8 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/rhel6/product.yml b/rhel6/product.yml
index cc8fa4f8ed..eab9b80c47 100644
--- a/rhel6/product.yml
+++ b/rhel6/product.yml
@@ -20,3 +20,7 @@ aux_pkg_version: "2fa658e0"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhel7/product.yml b/rhel7/product.yml
index f03c928b8f..3ff996b8cc 100644
--- a/rhel7/product.yml
+++ b/rhel7/product.yml
@@ -18,3 +18,7 @@ aux_pkg_version: "2fa658e0"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhel8/product.yml b/rhel8/product.yml
index d839b23231..f3aa59faec 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -19,3 +19,6 @@ aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhosp10/product.yml b/rhosp10/product.yml
index 51d0a932a5..af42ca998d 100644
--- a/rhosp10/product.yml
+++ b/rhosp10/product.yml
@@ -10,3 +10,6 @@ pkg_manager: "yum"
init_system: "systemd"
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhosp13/product.yml b/rhosp13/product.yml
index 5e849ff609..ba42a31cd7 100644
--- a/rhosp13/product.yml
+++ b/rhosp13/product.yml
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
pkg_manager: "yum"
init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhv4/product.yml b/rhv4/product.yml
index 10a2eda079..a61bf1588d 100644
--- a/rhv4/product.yml
+++ b/rhv4/product.yml
@@ -18,3 +18,7 @@ aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/ssg/yaml.py b/ssg/yaml.py
index cefbba374c..22cf5bad66 100644
--- a/ssg/yaml.py
+++ b/ssg/yaml.py
@@ -10,7 +10,8 @@
from .jinja import load_macros, process_file
from .constants import (PKG_MANAGER_TO_SYSTEM,
- PKG_MANAGER_TO_CONFIG_FILE)
+ PKG_MANAGER_TO_CONFIG_FILE,
+ XCCDF_PLATFORM_TO_PACKAGE)
from .constants import DEFAULT_UID_MIN
try:
@@ -138,6 +139,9 @@ def open_raw(yaml_file):
def open_environment(build_config_yaml, product_yaml):
contents = open_raw(build_config_yaml)
+ # Load common platform package mappings,
+ # any specific mapping in product_yaml will override the default
+ contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
contents.update(open_raw(product_yaml))
contents.update(_get_implied_properties(contents))
return contents

View File

@ -1,183 +0,0 @@
From 8a6e3fcbe387e6b5476375448964dab198d94959 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 2 Sep 2020 10:01:45 +0200
Subject: [PATCH] add CUI kickstart for rhel8
---
rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++++++++++++++++++++++++++
1 file changed, 167 insertions(+)
create mode 100644 rhel8/kickstart/ssg-rhel8-cui-ks.cfg
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
new file mode 100644
index 0000000000..0957fded96
--- /dev/null
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow enable shadowed passwords by default
+# --passalgo hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Refer to e.g.
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#
+# Important
+# Applying a security policy is not necessary on all systems. This screen should only be used
+# when a specific policy is mandated by your organization rules or government regulations.
+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+# Values can be optionally enclosed in single quotes (') or double quotes (").
+#
+# The following keys are recognized by the add-on:
+# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+# - If the content-type is scap-security-guide, the add-on will use content provided by the
+# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+# xccdf-id - ID of the benchmark you want to use.
+# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+# profile - ID of the profile to be applied. Use default to apply the default profile.
+# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+# The following is an example %addon org_fedora_oscap section which uses content from the
+# scap-security-guide on the installation media:
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_cui
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

View File

@ -1,92 +0,0 @@
From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 21 Sep 2020 10:26:53 +0200
Subject: [PATCH] Remove zIPL rule for PTI bootloader option
This setting is to mitigate a problem specific for intel archs.
Also returns the CCE to the pool.
---
.../zipl_pti_argument/rule.yml | 38 -------------------
rhel8/profiles/ospp.profile | 1 -
rhel8/profiles/stig.profile | 1 -
.../data/profile_stability/rhel8/ospp.profile | 1 -
4 files changed, 41 deletions(-)
delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
deleted file mode 100644
index 96170e6d85..0000000000
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-documentation_complete: true
-
-prodtype: rhel8
-
-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
-
-description: |-
- To enable Kernel page-table isolation,
- check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
- included in its options.<br />
- To ensure that new kernels and boot entries continue to enable page-table isolation,
- add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
-
-rationale: |-
- Kernel page-table isolation is a kernel feature that mitigates
- the Meltdown security vulnerability and hardens the kernel
- against attempts to bypass kernel address space layout
- randomization (KASLR).
-
-severity: medium
-
-identifiers:
- cce@rhel8: 83361-6
-
-ocil_clause: 'Kernel page-table isolation is not enabled'
-
-ocil: |-
- To check that page-table isolation is enabled at boot time, check all boot entries with following command:
- <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
- No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
-
-platform: machine
-
-template:
- name: zipl_bls_entries_option
- vars:
- arg_name: pti
- arg_value: 'on'
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 5e81e4a92a..46f00c89f1 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -426,4 +426,3 @@ selections:
- zipl_vsyscall_argument
- zipl_vsyscall_argument.role=unscored
- zipl_vsyscall_argument.severity=info
- - zipl_pti_argument
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 53647475aa..817d5dbadd 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -52,7 +52,6 @@ selections:
- "!zipl_audit_argument"
- "!zipl_audit_backlog_limit_argument"
- "!zipl_page_poison_argument"
- - "!zipl_pti_argument"
- "!zipl_slub_debug_argument"
- "!zipl_vsyscall_argument"
- "!zipl_vsyscall_argument.role=unscored"
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 7b7307cba8..223b1423cd 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -219,7 +219,6 @@ selections:
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
- zipl_page_poison_argument
-- zipl_pti_argument
- zipl_slub_debug_argument
- zipl_vsyscall_argument
- var_sshd_set_keepalive=0

View File

@ -1,49 +0,0 @@
From 08d5fb8355020856282eecfcdd09e96d9850cd62 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 9 Oct 2020 09:30:35 +0200
Subject: [PATCH] Do not platform wrap empty Bash remediation
The fix text for a rule can end up empty if a Jinja macro or conditional
doesn't render any text.
In these cases, avoid wrapping empty lines in an if-else, as this causes
syntax error.
---
ssg/build_remediations.py | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index f269d4d2d6..572db61701 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -273,6 +273,13 @@ def parse_from_file_with_jinja(self, env_yaml):
self.local_env_yaml.update(env_yaml)
result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
+ # Avoid platform wrapping empty fix text
+ # Remediations can be empty when a Jinja macro or conditional
+ # renders no fix text for a product
+ stripped_fix_text = result.contents.strip()
+ if stripped_fix_text == "":
+ return result
+
rule_platforms = set()
if self.associated_rule:
# There can be repeated inherited platforms and rule platforms
@@ -301,15 +308,11 @@ def parse_from_file_with_jinja(self, env_yaml):
all_conditions = " && ".join(platform_conditionals)
wrapped_fix_text.append("if {0}; then".format(all_conditions))
-
- # Avoid adding extra blank line
- if not result.contents.startswith("\n"):
- wrapped_fix_text.append("")
-
+ wrapped_fix_text.append("")
# It is possible to indent the original body of the remediation with textwrap.indent(),
# however, it is not supported by python2, and there is a risk of breaking remediations
# For example, remediations with a here-doc block could be affected.
- wrapped_fix_text.append("{0}".format(result.contents))
+ wrapped_fix_text.append("{0}".format(stripped_fix_text))
wrapped_fix_text.append("")
wrapped_fix_text.append("else")
wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'")

View File

@ -1,116 +0,0 @@
From cf1d85924b5945506e57f8701be066c83a894378 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 5 Oct 2020 16:40:39 +0200
Subject: [PATCH 1/2] Check for grub2-common instead of grub2-pc
Check for grub2 intallation based on grub2-common.
grub2-pc is a x86_64 package, but other arches use grub2 as well.
---
.../checks/oval/installed_env_has_grub2_package.xml | 12 ++++++------
ssg/constants.py | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
index e83f45bc3b..2a170d668e 100644
--- a/shared/checks/oval/installed_env_has_grub2_package.xml
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -6,31 +6,31 @@
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
- <description>Checks if package grub2-pc is installed.</description>
+ <description>Checks if package grub2-common is installed.</description>
<reference ref_id="cpe:/a:grub2" source="CPE" />
</metadata>
<criteria>
- <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
+ <criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
</criteria>
</definition>
{{% if pkg_system == "rpm" %}}
<linux:rpminfo_test check="all" check_existence="at_least_one_exists"
id="test_env_has_grub2_installed" version="1"
- comment="system has package grub2-pc installed">
+ comment="system has package grub2-common installed">
<linux:object object_ref="obj_env_has_grub2_installed" />
</linux:rpminfo_test>
<linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
- <linux:name>grub2-pc</linux:name>
+ <linux:name>grub2-common</linux:name>
</linux:rpminfo_object>
{{% elif pkg_system == "dpkg" %}}
<linux:dpkginfo_test check="all" check_existence="all_exist"
id="test_env_has_grub2_installed" version="1"
- comment="system has package grub2-pc installed">
+ comment="system has package grub2-common installed">
<linux:object object_ref="obj_env_has_grub2_installed" />
</linux:dpkginfo_test>
<linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
- <linux:name>grub2-pc</linux:name>
+ <linux:name>grub2-common</linux:name>
</linux:dpkginfo_object>
{{% endif %}}
diff --git a/ssg/constants.py b/ssg/constants.py
index b07fe5f0fe..88316374b5 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -468,7 +468,7 @@
# Default platform to package mapping
XCCDF_PLATFORM_TO_PACKAGE = {
- "grub2": "grub2-pc",
+ "grub2": "grub2-common",
"login_defs": "login",
"sssd": "sssd-common",
"zipl": "s390utils-base",
From fba876cfc7f85f5b9a696d0f5fa1177299b7c6bb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 5 Oct 2020 16:49:15 +0200
Subject: [PATCH 2/2] Handle exception of grub2-coomon in ppc64le
ppc64le systems can use Grub2 or OPAL and the package set will be the
same in both cases.
Add a few more checks to make sure ppc64le arch is handled correctly.
---
.../oval/installed_env_has_grub2_package.xml | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
index 2a170d668e..fb2c9cc784 100644
--- a/shared/checks/oval/installed_env_has_grub2_package.xml
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -9,8 +9,18 @@
<description>Checks if package grub2-common is installed.</description>
<reference ref_id="cpe:/a:grub2" source="CPE" />
</metadata>
- <criteria>
+ <criteria operator="AND">
<criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
+ <criteria operator="OR">
+ <!-- On ppc64le systems, OF (Grub2) or OPAL (petitboot) can be used,
+ and unfortunately the package set installed is the same in both cases.
+ But when OPAL is used, /sys/firmware/opal exists.
+ So the system uses grub when: -->
+ <!-- grub2-common is installed and arch is not a ppc64le -->
+ <criterion comment="Test for ppcle64 architecture" test_ref="test_system_info_architecture_ppcle_64" negate="true" />
+ <!-- or when grub2-common is installed, arch is a ppc64le but OPAL is not used -->
+ <criterion comment="Test if OPAL is not used" test_ref="test_system_using_opal" negate="true" />
+ </criteria>
</criteria>
</definition>
@@ -34,4 +44,11 @@
</linux:dpkginfo_object>
{{% endif %}}
+ <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firware/opal exists" id="test_system_using_opal" version="1">
+ <unix:object object_ref="object_system_using_opal" />
+ </unix:file_test>
+ <unix:file_object id="object_system_using_opal" version="1">
+ <unix:filepath>/sys/firmware/opal</unix:filepath>
+ </unix:file_object>
+
</def-group>

View File

@ -1,38 +0,0 @@
From 7dfeb5ec0513a58502eb83aa2900e7c5fb0d478e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Sep 2020 11:29:57 +0200
Subject: [PATCH] Fix load of product platform mapping
The product specific mappings were overriding the common mappings,
instead of being merged with them.
---
ssg/yaml.py | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/ssg/yaml.py b/ssg/yaml.py
index 22cf5bad66..d8856e52c9 100644
--- a/ssg/yaml.py
+++ b/ssg/yaml.py
@@ -13,6 +13,7 @@
PKG_MANAGER_TO_CONFIG_FILE,
XCCDF_PLATFORM_TO_PACKAGE)
from .constants import DEFAULT_UID_MIN
+from .utils import merge_dicts
try:
from yaml import CSafeLoader as yaml_SafeLoader
@@ -139,10 +140,11 @@ def open_raw(yaml_file):
def open_environment(build_config_yaml, product_yaml):
contents = open_raw(build_config_yaml)
- # Load common platform package mappings,
- # any specific mapping in product_yaml will override the default
- contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
contents.update(open_raw(product_yaml))
+ platform_package_overrides = contents.get("platform_package_overrides", {})
+ # Merge common platform package mappings, while keeping product specific mappings
+ contents["platform_package_overrides"] = merge_dicts(XCCDF_PLATFORM_TO_PACKAGE,
+ platform_package_overrides)
contents.update(_get_implied_properties(contents))
return contents

View File

@ -1,22 +0,0 @@
From 570dc073739e9044b54e872c8368125bccadb704 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 29 Sep 2020 15:28:02 +0200
Subject: [PATCH] Fix zIPL package mapping
---
ssg/constants.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssg/constants.py b/ssg/constants.py
index 0eca2f4f95..fa6c756ff6 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -470,7 +470,7 @@
"grub2": "grub2-pc",
"login_defs": "login",
"sssd": "sssd-common",
- "zipl": "s390x-utils",
+ "zipl": "s390utils-base",
}
# _version_name_map = {

View File

@ -1,16 +0,0 @@
From 7a069a2deb4d1ce69b02b7615523424f2ecf281f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 29 Sep 2020 15:04:39 +0200
Subject: [PATCH] Move grub2_vsyscall_argument to grub2 group
This will put the rule under grub2 platform, so the rule is only
applicable on a machine system with grub2.
---
.../grub2_vsyscall_argument/rule.yml | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename linux_os/guide/system/{permissions/restrictions => bootloader-grub2}/grub2_vsyscall_argument/rule.yml (100%)
diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
similarity index 100%
rename from linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml
rename to linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,137 @@
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 7da2e067a6..5d01170aab 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -33,6 +33,7 @@ references:
cis@sle12: 5.2.4
cis@sle15: 5.2.6
stigid@rhel7: RHEL-07-040710
+ stigid@ol7: OL07-00-040710
srg: SRG-OS-000480-GPOS-00227
disa: CCI-000366
nist: CM-6(b)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
index 87c3cb7f5a..5683676bfc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
@@ -23,7 +23,6 @@ identifiers:
cce@sle12: CCE-83017-4
references:
- stigid@ol7: OL07-00-040710
cui: 3.1.13
disa: CCI-000366
nist: CM-6(a),AC-17(a),AC-17(2)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
index 50c7d689af..42cb32e30e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel7,rhel8,wrlinux1019,wrlinux8
+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019,wrlinux8
title: 'Use Only FIPS 140-2 Validated Ciphers'
@@ -51,7 +51,6 @@ identifiers:
cce@rhel8: CCE-81032-5
references:
- stigid@ol7: OL07-00-040110
cis: 5.2.10
cjis: 5.5.6
cui: 3.1.13,3.13.11,3.13.8
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
index 0751064179..73de17af35 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7
+prodtype: ol7,rhel7
title: 'Use Only FIPS 140-2 Validated Ciphers'
@@ -32,6 +32,7 @@ references:
disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
stigid@rhel7: RHEL-07-040110
+ stigid@ol7: OL07-00-040110
ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
index c490756daf..13997f9418 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel7,rhel8,sle12,wrlinux1019
+prodtype: ol7,ol8,rhel7,rhel8,sle12,wrlinux1019
title: 'Use Only FIPS 140-2 Validated MACs'
@@ -46,7 +46,6 @@ identifiers:
cce@sle12: CCE-83036-4
references:
- stigid@ol7: OL07-00-040400
cis: 5.2.12
cui: 3.1.13,3.13.11,3.13.8
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
index 88d2d77e14..bd597f0860 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7
+prodtype: ol7,rhel7
title: 'Use Only FIPS 140-2 Validated MACs'
@@ -25,6 +25,7 @@ references:
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
stigid@rhel7: RHEL-07-040400
+ stigid@ol7: OL07-00-040400
ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
index 7267d2443a..b0fe065d86 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -26,6 +26,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
stig@rhel7: RHEL-07-040711
+ stig@ol7: OL07-00-040711
disa: CCI-000366
nist: CM-6(b)
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 820a942220..dfcbbafd17 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -36,4 +36,4 @@ ocil_clause: 'the group ownership is incorrect'
ocil: |-
To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
+ <pre># ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
index 7d5778d4f6..37cb36cda3 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
@@ -30,4 +30,4 @@ ocil_clause: 'the user ownership is incorrect'
ocil: |-
To verify the home directory ownership, run the following command:
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
+ <pre># ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)</pre>

View File

@ -0,0 +1,34 @@
From cb299dd0ce870d55cb530bc5e5ad9a9f52734bf4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 19 Jan 2021 09:42:26 +0100
Subject: [PATCH] Add metadata to ANSSI R35
Current implementation cannot diferentiate between system and
standard user umask, they are both set to the same value.
---
controls/anssi.yml | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index dec9d68c99..621996e985 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -572,10 +572,18 @@ controls:
only be read by the user and his group, and be editable only by his owner).
The umask for users must be set to 0077 (any file created by a user is
readable and editable only by him).
+ notes: >-
+ There is no simple way to check and remediate different umask values for
+ system and standard users reliably.
+ The different values are set in a conditional clause in a shell script
+ (e.g. /etc/profile or /etc/bashrc).
+ The current implementation checks and fixes both umask to the same value.
+ automated: partially
rules:
- var_accounts_user_umask=077
- accounts_umask_etc_login_defs
- accounts_umask_etc_profile
+ - accounts_umask_etc_bashrc
- id: R36
title: Rights to access sensitive content files

View File

@ -0,0 +1,94 @@
From d5673795ba2f87ae1649c84591ee13d7876af0b2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jan 2021 14:01:03 +0100
Subject: [PATCH 1/3] add rule
---
.../sysctl_kernel_modules_disabled/rule.yml | 34 +++++++++++++++++++
1 file changed, 34 insertions(+)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
new file mode 100644
index 0000000000..1811c43815
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,rhel7,rhel8
+
+title: 'Disable loading and unloading of kernel modules'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}'
+
+rationale: |-
+ Malicious kernel modules can have a significant impact on system security and
+ availability. Disabling loading of kernel modules prevents this threat. Note
+ that once this option has been set, it cannot be reverted without doing a
+ system reboot. Make sure that all needed kernel modules are loaded before
+ setting this option.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83392-1
+ cce@rhel8: CCE-83397-0
+
+references:
+ anssi: BP28(R24)
+
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.modules_disabled
+ sysctlval: '1'
+ datatype: int
From 5e4f6a4a0b70c07488595080cfd98fdbfb02e352 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jan 2021 14:01:15 +0100
Subject: [PATCH 2/3] add rule to anssi profile
---
controls/anssi.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 9e2b899b6d..f435459af3 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -483,7 +483,8 @@ controls:
sysctl kernel.modules_disabledconf:
Prohibition of loading modules (except those already loaded to this point)
kernel.modules_disabled = 1
- # rules: TBD
+ rules:
+ - sysctl_kernel_modules_disabled
- id: R25
level: enhanced
From a4a91fbb7f23854e4f80819a023c1adc4e7110c5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 14 Jan 2021 09:30:01 +0100
Subject: [PATCH 3/3] remove cces from pool
---
shared/references/cce-redhat-avail.txt | 2 --
1 file changed, 2 deletions(-)
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4dbec8255c..137d975a3d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,5 +1,3 @@
-CCE-83392-1
-CCE-83397-0
CCE-83398-8
CCE-83399-6
CCE-83404-4

View File

@ -0,0 +1,117 @@
From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Oct 2020 17:25:05 +0200
Subject: [PATCH 1/2] var pam unix remember, add selector
Add selector "2" to var_password_pam_unix_remember.
---
.../accounts/accounts-pam/var_password_pam_unix_remember.var | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
index f533a36963..6e7abb3b78 100644
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
@@ -18,6 +18,7 @@ options:
"0": "0"
10: 10
24: 24
+ 2: 2
4: 4
5: 5
default: 5
From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Oct 2020 17:29:47 +0200
Subject: [PATCH 2/2] Select rules for password strenght management
Rule selection is based on ANSSI DAT-NT-001
---
controls/anssi.yml | 45 ++++++++++++++++++-
.../var_password_pam_minlen.var | 2 +
...ar_accounts_password_minlen_login_defs.var | 2 +
3 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 26bc7f4694..3ccd0f8cb3 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -281,7 +281,50 @@ controls:
- id: R18
level: minimal
title: Administrator password robustness
- # rules: TBD
+ notes: >-
+ The rules selected below establish a general password strength baseline of 100 bits,
+ inspired by DAT-NT-001 and the "Password Strenght Calculator"
+ (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
+
+ The baseline should be reviewed and tailored to the system's use case and needs.
+ automated: partially
+ rules:
+ # Renew passwords every 90 days
+ - var_accounts_maximum_age_login_defs=90
+ - accounts_maximum_age_login_defs
+
+ # Ensure passwords with minimum of 18 characters
+ - var_password_pam_minlen=18
+ - accounts_password_pam_minlen
+ # Enforce password lenght for new accounts
+ - var_accounts_password_minlen_login_defs=18
+ - accounts_password_minlen_login_defs
+ # Require at Least 1 Special Character in Password
+ - var_password_pam_ocredit=1
+ - accounts_password_pam_ocredit
+ # Require at Least 1 Numeric Character in Password
+ - var_password_pam_dcredit=1
+ - accounts_password_pam_dcredit
+ # Require at Least 1 Uppercase Character in Password
+ - var_password_pam_ucredit=1
+ - accounts_password_pam_ucredit
+ # Require at Least 1 Lowercase Character in Password
+ - var_password_pam_lcredit=1
+ - accounts_password_pam_lcredit
+
+ # Lock out users after 3 failed authentication attempts within 15 min
+ - var_accounts_passwords_pam_faillock_fail_interval=900
+ - accounts_passwords_pam_faillock_interval
+ - var_accounts_passwords_pam_faillock_deny=3
+ - accounts_passwords_pam_faillock_deny
+ - accounts_passwords_pam_faillock_deny_root
+ # Automatically unlock users after 15 min to prevent DoS
+ - var_accounts_passwords_pam_faillock_unlock_time=900
+ - accounts_passwords_pam_faillock_unlock_time
+
+ # Do not reuse last two passwords
+ - var_password_pam_unix_remember=2
+ - accounts_password_pam_unix_remember
- id: R19
level: intermediary
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
index f506a090bb..873d907ab9 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
@@ -15,6 +15,8 @@ options:
12: 12
14: 14
15: 15
+ 18: 18
+ 20: 20
6: 6
7: 7
8: 8
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
index f41ff432ec..662c53b076 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
@@ -13,6 +13,8 @@ options:
12: 12
14: 14
15: 15
+ 18: 18
+ 20: 20
6: 6
8: 8
default: 15

View File

@ -0,0 +1,47 @@
From 76aede9cea67f4ea37eaa05ad74bf80273638de2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 28 Oct 2020 18:52:13 +0100
Subject: [PATCH] Select rules for ANSSI R37
These rules are better fit for R37 than R38.
R37 is about binaries designed to be used with setuid or setgid bits.
R38 is about reducing number of binaries with setuid root.
---
controls/anssi.yml | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 26bc7f4694..4648b98dff 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -590,8 +590,17 @@ controls:
- id: R37
level: minimal
- title: Executables with setuid and/or setgid bits
- # rules: TBD
+ title: Executables with setuid and setgid bits
+ notes: >-
+ Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set.
+ This requirement considers apropriate for setuid and setgid bits the binaries that are installed from
+ recognized and authorized repositories (covered in R15).
+ The remediation resets the sticky bit to intended value by vendor/developer, any finding after remediation
+ should be reviewed.
+ automated: yes
+ rules:
+ - file_permissions_unauthorized_suid
+ - file_permissions_unauthorized_sgid
- id: R38
level: enhanced
@@ -600,9 +609,7 @@ controls:
Setuid executables should be as small as possible. When it is expected
that only the administrators of the machine execute them, the setuid bit
must be removed and prefer them commands like su or sudo, which can be monitored
- rules:
- - file_permissions_unauthorized_suid
- - file_permissions_unauthorized_sgid
+ # rules: TBD
- id: R39
level: intermediary

View File

@ -0,0 +1,37 @@
From 4d67a36c0a07ef8e07b8760b0e883bd42c0177ec Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 21 Jan 2021 11:04:05 +0100
Subject: [PATCH] Add variable selector and notes for R29
---
controls/anssi.yml | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index dec9d68c99..3303d70295 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -521,10 +521,22 @@ controls:
description: >-
Remote user sessions (shell access, graphical clients) must be closed
after a certain period of inactivity.
+ notes: >-
+ There is no specific capability to check remote user inactivity, but some shells allow the
+ session inactivity time out to be configured via TMOUT variable.
+ In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
+ The server is configured to disconnect sessions if no data has been received within the idle timeout,
+ regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
+ In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
+ The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
+ "don't disconnect network inactive sessions". The server either probes for the client liveness
+ or keeps inactive sessions connected.
+ automated: yes
rules:
- accounts_tmout
+ - var_accounts_tmout=10_min
- sshd_set_idle_timeout
- - sshd_idle_timeout_value=5_minutes
+ - sshd_idle_timeout_value=10_minutes
- sshd_set_keepalive
- id: R30

View File

@ -0,0 +1,106 @@
From 389d25be2b69e4e5c828d9b0b72573e0962cabb4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jan 2021 17:07:48 +0100
Subject: [PATCH 1/4] add rule
---
.../sshd_x11_use_localhost/rule.yml | 43 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 3 --
2 files changed, 43 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
new file mode 100644
index 0000000000..67131e509c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -0,0 +1,43 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,rhel7
+
+title: 'Prevent remote hosts from connecting to the proxy display'
+
+description: |-
+ The SSH daemon should prevent remote hosts from connecting to the proxy
+ display. Make sure that the option <tt>X11UseLocalhost</tt> is set to
+ <tt>yes</tt> within the SSH server configuration file.
+
+
+rationale: |-
+ When X11 forwarding is enabled, there may be additional exposure to the
+ server and client displays if the sshd proxy display is configured to listen
+ on the wildcard address. By default, sshd binds the forwarding server to the
+ loopback address and sets the hostname part of the <tt>DISPLAY</tt>
+ environment variable to localhost. This prevents remote hosts from
+ connecting to the proxy display.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83404-4
+
+references:
+ srg: SRG-OS-000480-GPOS-00227
+ stig@rhel7: RHEL-07-040711
+ disa: CCI-000366
+ nist: CM-6(b)
+
+ocil_clause: "the display proxy is listening on wildcard address"
+
+ocil: |-
+ {{{ ocil_sshd_option(default="yes", option="X11UseLocalhost", value="yes") }}}
+
+template:
+ name: sshd_lineinfile
+ vars:
+ missing_parameter_pass: 'false'
+ parameter: X11UseLocalhost
+ rule_id: sshd_x11_use_localhost
+ value: 'yes'
From a40b9e68305afb52c2c674848b71cbcaee25fe32 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 13 Jan 2021 17:08:08 +0100
Subject: [PATCH 2/4] add rule to the stig profile
---
rhel7/profiles/stig.profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 88b50d5ef4..817e0982e5 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -286,6 +286,7 @@ selections:
- package_vsftpd_removed
- package_tftp-server_removed
- sshd_enable_x11_forwarding
+ - sshd_x11_use_localhost
- tftpd_uses_secure_mode
- package_xorg-x11-server-common_removed
- xwindows_runlevel_target
From be2f96b80fbfb74708381e15a2a6e76c3952bbb5 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Fri, 15 Jan 2021 07:46:09 +0100
Subject: [PATCH 4/4] Update
linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
---
.../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
index 67131e509c..7267d2443a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -37,7 +37,7 @@ ocil: |-
template:
name: sshd_lineinfile
vars:
- missing_parameter_pass: 'false'
+ missing_parameter_pass: 'true'
parameter: X11UseLocalhost
rule_id: sshd_x11_use_localhost
value: 'yes'

View File

@ -0,0 +1,196 @@
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 851993512..515a4a172 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -850,7 +850,8 @@ controls:
- id: R63
level: intermediary
title: Explicit arguments in sudo specifications
- # rules: TBD
+ rules:
+ - sudoers_explicit_command_args
- id: R64
level: intermediary
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
new file mode 100644
index 000000000..94a0cb421
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Check that sudoers doesn't contain commands without arguments specified") }}}
+ <criteria operator="AND">
+ <criterion comment="Make sure that no commands are without arguments" test_ref="test_{{{ rule_id }}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="Make sure that no command in user spec is without any argument"
+ id="test_{{{ rule_id }}}" version="1">
+ <ind:object object_ref="object_{{{ rule_id }}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_{{{ rule_id }}}" version="1">
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+ <!-- The regex idea: <user list> <host list> = (<the whole command with at least an arg>,)* <command with no arg> <end of the line or next command spec we don't care about>
+ where a command is <runas spec>?<anything except ,>+,
+ - ',' is a command delimiter, while
+ The last capturing group holds the offending command without args.
+ -->
+ <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
new file mode 100644
index 000000000..a0590c8b0
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
@@ -0,0 +1,46 @@
+documentation_complete: true
+
+title: "Explicit arguments in sudo specifications"
+
+description: |-
+ All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
+ If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
+
+rationale: |-
+ Any argument can modify quite significantly the behavior of a program, whether regarding the
+ realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
+ avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
+ level of its specification.
+
+ For example, on some systems, the kernel messages are only accessible by root.
+ If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
+ in order to prevent the user from flushing the buffer through the -c option:
+ <pre>
+ user ALL = dmesg ""
+ </pre>
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83631-2
+ cce@rhel8: CCE-83632-0
+
+references:
+ anssi: BP28(R63)
+
+ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments'
+
+ocil: |-
+ To determine if arguments that commands can be executed with are restricted, run the following command:
+ <pre>$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/</pre>
+ The command should return no output.
+
+platform: sudo
+
+warnings:
+ - general:
+ This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.
+
+ - general:
+ The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that.
+ For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
new file mode 100644
index 000000000..b0d05b2a5
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+# packages = sudo
+
+echo '#jen,!fred ALL, !SERVERS = !/bin/sh' > /etc/sudoers
+echo '# somebody ALL=/bin/ls, (!bob,alice) !/bin/cat, /bin/dog' > /etc/sudoers.d/foo
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
new file mode 100644
index 000000000..c6f885f9f
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+# packages = sudo
+# remediation = none
+
+echo 'somebody ALL=/bin/ls, (!bob,alice) /bin/cat arg, /bin/dog' > /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
new file mode 100644
index 000000000..fce851f55
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+# packages = sudo
+# remediation = none
+
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog, /bin/cat arg' > /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
new file mode 100644
index 000000000..baf66468d
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# remediation = none
+# packages = sudo
+
+# The val1\,val2 is the first argument of the /bin/dog command that contains a comma.
+# Our check tends to interpret the comma as commad delimiter, so the dog arg is val1\
+# and val2 is another command in the user spec.
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog val1\,val2, /bin/cat ""' > /etc/sudoers
+
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
new file mode 100644
index 000000000..9a04a205a
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+# packages = sudo
+# remediation = none
+
+echo 'jen,!fred ALL,SERVERS = /bin/sh ' > /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
new file mode 100644
index 000000000..4a3a7c94b
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_all
+# packages = sudo
+
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
+echo 'nobody ALL=/bin/ls arg arg, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
new file mode 100644
index 000000000..9643a3337
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# packages = sudo
+# remediation = none
+
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
+echo 'nobody ALL=/bin/ls, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
+
+echo 'user ALL = ALL' > /etc/sudoers.d/bar
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4dbec8255..94a116b59 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -140,8 +140,6 @@ CCE-83626-2
CCE-83627-0
CCE-83628-8
CCE-83629-6
-CCE-83631-2
-CCE-83632-0
CCE-83633-8
CCE-83634-6
CCE-83635-3

View File

@ -0,0 +1,213 @@
From afa3b348ed0af551967870f48334afbabecb89ab Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Thu, 4 Feb 2021 09:43:51 +0100
Subject: [PATCH] Extend /var partition to 3GB in rhel8 kickstarts
---
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-cis-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 4 ++--
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 4 ++--
9 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 52af3ef47e..4e249f61e2 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index 702f23d4dc..a1511b157a 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index b875692944..981d291847 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
index 4a114aebb6..7fc4945518 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
index bf3804b3fa..ee3a20bcc2 100644
--- a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
@@ -109,7 +109,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
@@ -117,7 +117,7 @@ logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptio
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
index 6e0f83ebb7..8e4b92584f 100644
--- a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
index 119e98364f..ec490c38ee 100644
--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
index 21a50f52fd..386cbcc169 100644
--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
@@ -103,13 +103,13 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
# CCE-26557-9: Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
# CCE-26435-8: Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
# CCE-26639-5: Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev"
# CCE-26215-4: Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
index a3e5e5fec1..28f7ff0927 100644
--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition

View File

@ -0,0 +1,426 @@
From fad3761eff3a3857bb4201ac90642dfc37217a2a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 09:41:26 +0100
Subject: [PATCH 1/4] Remove extra configurations from ANSSI minimal ks
- No need to restrict IPv6
- Root login is not restricted
- Simplify boot command
- Simplify paritioning
- No requirement to enforce use of SELinux
---
.../ssg-rhel7-anssi_nt28_minimal-ks.cfg | 46 ++--------------
.../ssg-rhel8-anssi_bp28_minimal-ks.cfg | 53 +------------------
2 files changed, 5 insertions(+), 94 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
index 4160ac094c..9bc4eae44f 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
@@ -54,7 +54,7 @@ keyboard us
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
-network --onboot yes --device eth0 --bootproto dhcp --noipv6
+network --onboot yes --device eth0 --bootproto dhcp
# Set the system's root password (required)
# Plaintext password is: server
@@ -62,26 +62,12 @@ network --onboot yes --device eth0 --bootproto dhcp --noipv6
# encrypted password form for different plaintext password
rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
-# The selected profile will restrict root login
-# Add a user that can login and escalate privileges
-# Plaintext password is: admin123
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-
-# Configure firewall settings for the system (optional)
-# --enabled reject incoming connections that are not in response to outbound requests
-# --ssh allow sshd service through the firewall
-firewall --enabled --ssh
-
# Set up the authentication options for the system (required)
# --enableshadow enable shadowed passwords by default
# --passalgo hash / crypt algorithm for new passwords
# See the manual page for authconfig for a complete list of possible options.
authconfig --enableshadow --passalgo=sha512
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +75,7 @@ timezone --utc America/New_York
# Plaintext password is: password
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
# encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr
# Initialize (format) all disks (optional)
zerombr
@@ -103,33 +89,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
-part pv.01 --grow --size=1
-
-# Create a Logical Volume Management (LVM) group (optional)
-volgroup VolGroup --pesize=4096 pv.01
-
-# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
-# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
-# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
-# Ensure /tmp Located On Separate Partition
-logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
-# Ensure /var/tmp Located On Separate Partition
-logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
-# Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
-# Ensure /var/log/audit Located On Separate Partition
-logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
-logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+autopart
# Despite the ID referencing NT-28, the profile is aligned to BP-028
%addon org_fedora_oscap
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
index 7fc4945518..1d62b55d55 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
@@ -6,9 +6,6 @@
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-# Install a fresh new system (optional)
-install
-
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
@@ -61,26 +58,6 @@ network --onboot yes --bootproto dhcp
# to see how to create encrypted password form for different plaintext password
rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
-# The selected profile will restrict root login
-# Add a user that can login and escalate privileges
-# Plaintext password is: admin123
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
-
-# Configure firewall settings for the system (optional)
-# --enabled reject incoming connections that are not in response to outbound requests
-# --ssh allow sshd service through the firewall
-firewall --enabled --ssh
-
-# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +66,7 @@ timezone --utc America/New_York
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr
# Initialize (format) all disks (optional)
zerombr
@@ -103,33 +80,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
-part pv.01 --grow --size=1
-
-# Create a Logical Volume Management (LVM) group (optional)
-volgroup VolGroup --pesize=4096 pv.01
-
-# Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
-# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
-# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
-# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
-# Ensure /tmp Located On Separate Partition
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var/tmp Located On Separate Partition
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
-# Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
-# Ensure /var/log/audit Located On Separate Partition
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
-logvol swap --name=swap --vgname=VolGroup --size=2016
+autopart
# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
# content - security policies - on the installed system.This add-on has been enabled by default
From 3884ae59b59d69c928acb1d3d52a3f68834aa709 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 09:53:20 +0100
Subject: [PATCH 2/4] Align ANSSI kickstarts with intermediary level
- Simplify boot command
- No requirement to enforce use of SELinux
---
.../ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 6 +-----
.../ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 17 ++---------------
2 files changed, 3 insertions(+), 20 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
index ab654410b5..20c4c59a78 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
@@ -78,10 +78,6 @@ firewall --enabled --ssh
# See the manual page for authconfig for a complete list of possible options.
authconfig --enableshadow --passalgo=sha512
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +85,7 @@ timezone --utc America/New_York
# Plaintext password is: password
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
# encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index 981d291847..3a241b06f4 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -6,9 +6,6 @@
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-# Install a fresh new system (optional)
-install
-
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
@@ -52,7 +49,7 @@ keyboard us
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
-network --onboot yes --bootproto dhcp
+network --onboot yes --bootproto dhcp --noipv6
# Set the system's root password (required)
# Plaintext password is: server
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
# --ssh allow sshd service through the firewall
firewall --enabled --ssh
-# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +76,7 @@ timezone --utc America/New_York
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr
# Initialize (format) all disks (optional)
zerombr
From 745ec9b02bb45ca89d2705e79b36b17060508765 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 14:03:09 +0100
Subject: [PATCH 3/4] Align ANSSI kickstarts with enhanced level
- Keep restricting IPv6
- Audit enabled during boot
- No requirement to enforce use of SELinux
---
.../ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 6 +-----
.../ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 17 ++---------------
2 files changed, 3 insertions(+), 20 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
index 2e75873a28..1d35bedb91 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
@@ -78,10 +78,6 @@ firewall --enabled --ssh
# See the manual page for authconfig for a complete list of possible options.
authconfig --enableshadow --passalgo=sha512
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +85,7 @@ timezone --utc America/New_York
# Plaintext password is: password
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
# encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 4e249f61e2..728946ecb7 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -6,9 +6,6 @@
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-# Install a fresh new system (optional)
-install
-
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
@@ -52,7 +49,7 @@ keyboard us
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
-network --onboot yes --bootproto dhcp
+network --onboot yes --bootproto dhcp --noipv6
# Set the system's root password (required)
# Plaintext password is: server
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
# --ssh allow sshd service through the firewall
firewall --enabled --ssh
-# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
# Set the system time zone (required)
timezone --utc America/New_York
@@ -89,7 +76,7 @@ timezone --utc America/New_York
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
From 6804cdfbdea9992daf48fe545d8005be9f37bc56 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 14:08:15 +0100
Subject: [PATCH 4/4] Align ANSSI Kickstarts with high level
---
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 13 ++-----------
2 files changed, 3 insertions(+), 12 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
index 745dcbd058..73225c2fab 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
@@ -89,7 +89,7 @@ timezone --utc America/New_York
# Plaintext password is: password
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
# encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index a1511b157a..cd0eff2625 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -6,9 +6,6 @@
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
-# Install a fresh new system (optional)
-install
-
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
@@ -52,7 +49,7 @@ keyboard us
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
-network --onboot yes --bootproto dhcp
+network --onboot yes --bootproto dhcp --noipv6
# Set the system's root password (required)
# Plaintext password is: server
@@ -71,12 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
# --ssh allow sshd service through the firewall
firewall --enabled --ssh
-# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
# State of SELinux on the installed system (optional)
# Defaults to enforcing
selinux --enforcing
@@ -89,7 +80,7 @@ timezone --utc America/New_York
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr

View File

@ -0,0 +1,57 @@
From 01b1ade0e5713bf3f11f78cc0ca7e43f74eb8a46 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 01:02:48 +0100
Subject: [PATCH 1/2] Drop remediation for sysctl_kernel_modules_disabled
Remediating this during kickstart install time renders the machine
unbootable.
---
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
index 1811c43815..34e8290f74 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
@@ -32,3 +32,6 @@ template:
sysctlvar: kernel.modules_disabled
sysctlval: '1'
datatype: int
+ backends:
+ # Automated remediation of this rule disrupts installs via kickstart
+ bash: 'off'
From 77eeafd1af1445a185651c77b143bce0004badda Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Feb 2021 09:23:17 +0100
Subject: [PATCH 2/2] Add warning why rule has no remediation
Rule sysctl_kernel_modules_disabled disrupts the install and boot
process if remediated during installation.
---
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
index 34e8290f74..438cd2759e 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
@@ -26,6 +26,11 @@ references:
platform: machine
+warnings:
+ - general:
+ This rule doesn't come with Bash remediation.
+ Remediating this rule during the installation process disrupts the install and boot process.
+
template:
name: sysctl
vars:
@@ -33,5 +38,5 @@ template:
sysctlval: '1'
datatype: int
backends:
- # Automated remediation of this rule disrupts installs via kickstart
+ # Automated remediation of this rule during installations disrupts the first boot
bash: 'off'

View File

@ -0,0 +1,62 @@
From eea787e1453b19aa949903c39189479538fbbab9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 12 Feb 2021 10:36:10 +0100
Subject: [PATCH] remove mrules disabling vfat file systems from cis profiles
---
rhcos4/profiles/moderate.profile | 1 -
rhel7/profiles/cis.profile | 3 +--
rhel8/profiles/cis.profile | 4 ++--
sle15/profiles/cis.profile | 1 -
4 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile
index 4e715cae9a..966e092c97 100644
--- a/rhcos4/profiles/moderate.profile
+++ b/rhcos4/profiles/moderate.profile
@@ -627,4 +627,3 @@ selections:
- kernel_module_squashfs_disabled
- kernel_module_udf_disabled
- kernel_module_usb-storage_disabled
- - kernel_module_vfat_disabled
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 22d5117546..093d2b5759 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -46,8 +46,7 @@ selections:
#### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored)
- kernel_module_udf_disabled
- #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored)
- - kernel_module_vfat_disabled
+ #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Manual)
### 1.1.2 Ensure separate partition exists for /tmp (Scored)
- partition_for_tmp
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
index 9ceeb74f9a..e96d2fbb9d 100644
--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
@@ -31,8 +31,8 @@ selections:
#### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
- kernel_module_cramfs_disabled
- #### 1.1.1.2 Ensure mounting of vFAT flesystems is limited (Not Scored)
- - kernel_module_vfat_disabled
+ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
+
#### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
- kernel_module_squashfs_disabled
diff --git a/sle15/profiles/cis.profile b/sle15/profiles/cis.profile
index 9a0efedbdd..fa9ff3b775 100644
--- a/sle15/profiles/cis.profile
+++ b/sle15/profiles/cis.profile
@@ -25,7 +25,6 @@ selections:
- kernel_module_udf_disabled
#### 1.1.1.4 Ensure mounting of vFAT flesystems is limited (Not Scored)
- - kernel_module_vfat_disabled
### 1.1.2 Ensure /tmp is configured (Scored)
- partition_for_tmp

View File

@ -0,0 +1,24 @@
From 67f33ad17c234106bb3243af9f63ae478daa11ec Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 25 Jan 2021 18:28:26 +0100
Subject: [PATCH] Reassign a new unique CCE identifier to approved macs STIG
rule.
---
.../ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml | 2 +-
shared/references/cce-redhat-avail.txt | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
index dc9f7dca7c..88d2d77e14 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -19,7 +19,7 @@ rationale: |-
severity: medium
identifiers:
- cce@rhel7: CCE-83398-8
+ cce@rhel7: CCE-83636-1
references:
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123

View File

@ -0,0 +1,39 @@
From 9c6bdd92d2980aff87d1de0085250078ac131eda Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 16 Feb 2021 15:49:46 +0100
Subject: [PATCH] Remove auditd_data_retention_space_left from RHEL8 STIG
profile.
This rule is not aligned with STIG because it checks for space left in
megabytes, whereas STIG demands space left in percentage.
---
rhel8/profiles/stig.profile | 3 ++-
tests/data/profile_stability/rhel8/stig.profile | 1 -
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 0aa6f28986..dccfb548b7 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -219,7 +219,8 @@ selections:
- package_rsyslog_installed
- package_rsyslog-gnutls_installed
- rsyslog_remote_loghost
- - auditd_data_retention_space_left
+ # this rule expects configuration in MB instead percentage as how STIG demands
+ # - auditd_data_retention_space_left
- auditd_data_retention_space_left_action
# remediation fails because default configuration file contains pool instead of server keyword
- chronyd_or_ntpd_set_maxpoll
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 55b645b67b..41782dcf3d 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -63,7 +63,6 @@ selections:
- auditd_data_disk_full_action
- auditd_data_retention_action_mail_acct
- auditd_data_retention_max_log_file_action
-- auditd_data_retention_space_left
- auditd_data_retention_space_left_action
- auditd_local_events
- auditd_log_format

View File

@ -0,0 +1,43 @@
From 0f10e6fe07e068f3fac8cb9563141530f3d8b9e8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 12 Jan 2021 16:23:07 +0100
Subject: [PATCH 1/2] remove rule from rhel8 stig
---
rhel8/profiles/stig.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 882c481066..cda0239433 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -45,7 +45,6 @@ selections:
- package_audispd-plugins_installed
- package_libcap-ng-utils_installed
- auditd_audispd_syslog_plugin_activated
- - accounts_passwords_pam_faillock_enforce_local
- accounts_password_pam_enforce_local
- accounts_password_pam_enforce_root
From b558c9030d2f16e59571e1730a3b0350d257d298 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 12 Jan 2021 16:23:25 +0100
Subject: [PATCH 2/2] modify profile stability test
---
tests/data/profile_stability/rhel8/stig.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index a4ad24aec2..6676ca497c 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -41,7 +41,6 @@ selections:
- accounts_password_set_max_life_existing
- accounts_password_set_min_life_existing
- accounts_passwords_pam_faillock_deny
-- accounts_passwords_pam_faillock_enforce_local
- accounts_passwords_pam_faillock_interval
- accounts_passwords_pam_faillock_unlock_time
- accounts_umask_etc_bashrc

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,843 @@
From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001
From: Guang Yee <guang.yee@suse.com>
Date: Mon, 11 Jan 2021 12:55:43 -0800
Subject: [PATCH] Enable checks and remediations for the following SLES-12
STIGs:
- SLES-12-010030 'banner_etc_issue'
- SLES-12-010120 'accounts_max_concurrent_login_sessions'
- SLES-12-010450 'encrypt_partitions'
- SLES-12-010460 'dir_perms_world_writable_sticky_bits'
- SLES-12-010500 'package_aide_installed'
- SLES-12-010550 'ensure_gpgcheck_globally_activated'
- SLES-12-010580 'kernel_module_usb-storage_disabled'
- SLES-12-010599 'package_MFEhiplsm_installed'
- SLES-12-010690 'no_files_unowned_by_user'
- SLES-12-030000 'package_telnet-server_removed'
- SLES-12-030010 'ftp_present_banner'
- SLES-12-030050 'sshd_enable_warning_banner'
- SLES-12-030110 'sshd_set_loglevel_verbose'
- SLES-12-030130 'sshd_print_last_log'
- SLES-12-030210 'file_permissions_sshd_pub_key'
- SLES-12-030220 'file_permissions_sshd_private_key'
- SLES-12-030230 'sshd_enable_strictmodes'
- SLES-12-030240 'sshd_use_priv_separation'
- SLES-12-030250 'sshd_disable_compression'
- SLES-12-030340 'auditd_audispd_encrypt_sent_records'
- SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route'
- SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route'
- SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route'
- SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects'
---
.../ftp_present_banner/rule.yml | 1 +
.../package_telnet-server_removed/rule.yml | 1 +
.../rule.yml | 1 +
.../file_permissions_sshd_pub_key/rule.yml | 1 +
.../ansible/shared.yml | 2 +-
.../sshd_disable_compression/rule.yml | 1 +
.../sshd_enable_strictmodes/rule.yml | 1 +
.../sshd_enable_warning_banner/rule.yml | 1 +
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
.../sshd_set_loglevel_verbose/rule.yml | 1 +
.../sshd_use_priv_separation/rule.yml | 1 +
.../banner_etc_issue/ansible/shared.yml | 2 +-
.../banner_etc_issue/rule.yml | 4 ++-
.../ansible/shared.yml | 2 +-
.../rule.yml | 2 ++
.../ansible/shared.yml | 2 +-
.../rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../bash/shared.sh | 2 +-
.../rule.yml | 2 ++
.../files/no_files_unowned_by_user/rule.yml | 4 ++-
.../rule.yml | 4 ++-
.../encrypt_partitions/rule.yml | 8 +++++-
.../package_MFEhiplsm_installed/rule.yml | 2 ++
.../aide/package_aide_installed/rule.yml | 3 +++
.../ansible/sle12.yml | 13 ++++++++++
.../rule.yml | 8 +++++-
shared/applicability/general.yml | 4 +++
.../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++
.../kernel_module_disabled/ansible.template | 12 +++++++--
.../kernel_module_disabled/bash.template | 9 ++++++-
.../kernel_module_disabled/oval.template | 5 ++++
sle12/product.yml | 1 +
sle12/profiles/stig.profile | 25 +++++++++++++++++++
37 files changed, 153 insertions(+), 18 deletions(-)
create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml
diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
index 35ba09b0d0..3590a085b6 100644
--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
@@ -19,6 +19,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80248-8
+ cce@sle12: CCE-83059-6
references:
stigid@sle12: SLES-12-030010
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 317eecdc3d..619b3f0b7d 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -27,6 +27,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27165-0
cce@rhel8: CCE-82182-7
+ cce@sle12: CCE-83084-4
references:
stigid@ol7: OL07-00-021710
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index 2e52219ece..d460411667 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27485-2
cce@rhel8: CCE-82424-3
+ cce@sle12: CCE-83058-8
references:
stigid@ol7: OL07-00-040420
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
index e59ddc0770..b9e07d71af 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
@@ -13,6 +13,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27311-0
cce@rhel8: CCE-82428-4
+ cce@sle12: CCE-83057-0
references:
stigid@ol7: OL07-00-040410
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
index e07e436d60..f8d422c6c4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
index fe7e67c1c2..f8eec6a074 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80224-9
cce@rhel8: CCE-80895-6
+ cce@sle12: CCE-83062-0
references:
stigid@ol7: OL07-00-040470
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
index 22b98c71a2..601f6a0ca2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80222-3
cce@rhel8: CCE-80904-6
+ cce@sle12: CCE-83060-4
references:
stigid@ol7: OL07-00-040450
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
index 2199d61ca9..c93ef6340f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27314-4
cce@rhel8: CCE-80905-3
+ cce@sle12: CCE-83066-1
references:
stigid@ol7: OL07-00-040170
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
index a0b8ed38ae..0ce5da30b2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80225-6
cce@rhel8: CCE-82281-7
+ cce@sle12: CCE-83083-6
references:
stigid@ol7: OL07-00-040360
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
index 28ce48de8e..2180398855 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -22,6 +22,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82419-3
cce@rhel8: CCE-82420-1
+ cce@sle12: CCE-83077-8
references:
srg: SRG-OS-000032-GPOS-00013
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
index 14d1acfd22..d65ddb6cd1 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80223-1
cce@rhel8: CCE-80908-7
+ cce@sle12: CCE-83061-2
references:
stigid@ol7: OL07-00-040460
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
index f3a0c85ea5..ff6b6eab42 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
# reboot = false
# strategy = unknown
# complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
index a86ede70f8..637d8ee528 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
title: 'Modify the System Login Banner'
@@ -52,6 +52,7 @@ identifiers:
cce@rhel7: CCE-27303-7
cce@rhel8: CCE-80763-6
cce@rhcos4: CCE-82555-4
+ cce@sle12: CCE-83054-7
references:
stigid@ol7: OL07-00-010050
@@ -64,6 +65,7 @@ references:
srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070
stigid@rhel7: RHEL-07-010050
+ stigid@sle12: SLES-12-010030
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
cobit5: DSS05.04,DSS05.10,DSS06.10
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
index 9d50a9d20c..536ac29569 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
index e598f4e8cb..32412aa482 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
@@ -20,6 +20,7 @@ severity: low
identifiers:
cce@rhel7: CCE-82041-5
cce@rhel8: CCE-80955-8
+ cce@sle12: CCE-83065-3
references:
stigid@ol7: OL07-00-040000
@@ -30,6 +31,7 @@ references:
srg: SRG-OS-000027-GPOS-00008
vmmsrg: SRG-OS-000027-VMM-000080
stigid@rhel7: RHEL-07-040000
+ stigid@sle12: SLES-12-010120
isa-62443-2013: 'SR 3.1,SR 3.8'
isa-62443-2009: 4.3.3.4
cobit5: DSS01.05,DSS05.02
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
index 23bcdf8641..007b23ba24 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle
# reboot = false
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
index 4c27eb11fd..1943a00fb2 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Encrypt Audit Records Sent With audispd Plugin'
@@ -26,6 +26,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80540-8
cce@rhel8: CCE-80926-9
+ cce@sle12: CCE-83063-8
references:
stigid@ol7: OL07-00-030310
@@ -33,6 +34,7 @@ references:
nist: AU-9(3),CM-6(a)
srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
stigid@rhel7: RHEL-07-030310
+ stigid@sle12: SLES-12-030340
ospp: FAU_GEN.1.1.c
ocil_clause: 'audispd is not encrypting audit records when sent over the network'
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
index a3f78cb910..8767a5226f 100644
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
@@ -22,6 +22,7 @@ identifiers:
cce@rhel7: CCE-80179-5
cce@rhel8: CCE-81013-5
cce@rhcos4: CCE-82480-5
+ cce@sle12: CCE-83078-6
references:
stigid@ol7: OL07-00-040830
@@ -33,6 +34,7 @@ references:
nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040830
+ stigid@sle12: SLES-12-030361
isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3
cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
index 0cd3dbc143..7bc4e3b9b7 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
@@ -22,6 +22,7 @@ identifiers:
cce@rhel7: CCE-27434-0
cce@rhel8: CCE-81011-9
cce@rhcos4: CCE-82478-9
+ cce@sle12: CCE-83064-6
references:
stigid@ol7: OL07-00-040610
@@ -33,6 +34,7 @@ references:
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040610
+ stigid@sle12: SLES-12-030360
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
index c48ec8de3d..f7ee2e9818 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
@@ -22,6 +22,7 @@ identifiers:
cce@rhel7: CCE-80162-1
cce@rhel8: CCE-80920-2
cce@rhcos4: CCE-82479-7
+ cce@sle12: CCE-83079-4
references:
stigid@ol7: OL07-00-040620
@@ -34,6 +35,7 @@ references:
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040620
+ stigid@sle12: SLES-12-030370
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
index ddf6b07758..861c3485f3 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
@@ -19,6 +19,7 @@ identifiers:
cce@rhel7: CCE-80999-6
cce@rhel8: CCE-80921-0
cce@rhcos4: CCE-82485-4
+ cce@sle12: CCE-83086-9
references:
stigid@ol7: OL07-00-040650
@@ -31,6 +32,7 @@ references:
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000480-GPOS-00227
stigid@rhel7: RHEL-07-040650
+ stigid@sle12: SLES-12-030420
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
index 0a829df187..e49942d1cc 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle
df --local -P | awk '{if (NR!=1) print $6}' \
| xargs -I '{}' find '{}' -xdev -type d \
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
index d04df8df86..5bb3cf3713 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-80130-8
cce@rhel8: CCE-80783-4
cce@rhcos4: CCE-82753-5
+ cce@sle12: CCE-83047-1
references:
cis@rhe8: 1.1.21
@@ -46,6 +47,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
cis@sle15: 1.1.22
+ stigid@sle12: SLES-12-010460
ocil_clause: 'any world-writable directories are missing the sticky bit'
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
index e664cf9215..faab0b8822 100644
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
title: 'Ensure All Files Are Owned by a User'
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80134-0
cce@rhel8: CCE-83499-4
+ cce@sle12: CCE-83072-9
references:
stigid@ol7: OL07-00-020320
@@ -40,6 +41,7 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 11,12,13,14,15,16,18,3,5,9
cis@sle15: 6.1.11
+ stigid@sle12: SLES-12-010690
ocil_clause: 'files exist that are not owned by a valid user'
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
index c78b570efb..24e77cc74e 100644
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
title: 'Disable Modprobe Loading of USB Storage Driver'
@@ -22,6 +22,7 @@ identifiers:
cce@rhel7: CCE-27277-3
cce@rhel8: CCE-80835-2
cce@rhcos4: CCE-82719-6
+ cce@sle12: CCE-83069-5
references:
stigid@ol7: OL07-00-020100
@@ -39,6 +40,7 @@ references:
cis-csc: 1,12,15,16,5
cis@rhel8: 1.1.23
cis@sle15: 1.1.3
+ stigid@sle12: SLES-12-010580
{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index 80d1856778..fe370a4323 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12
title: 'Encrypt Partitions'
@@ -14,6 +14,7 @@ description: |-
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
+ {{% if product != "sle12" %}}
<br /><br />
For automated/unattended installations, it is possible to use Kickstart by adding
the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
@@ -26,11 +27,14 @@ description: |-
<br /><br />
By default, the <tt>Anaconda</tt> installer uses <tt>aes-xts-plain64</tt> cipher
with a minimum <tt>512</tt> bit key size which should be compatible with FIPS enabled.
+ {{% endif %}}
<br /><br />
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the {{{ full_name }}} Documentation web site:<br />
{{% if product in ["ol7", "ol8"] %}}
{{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}.
+ {{% elif product == "sle12" %}}
+ {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
{{% else %}}
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
{{% endif %}}
@@ -45,6 +49,7 @@ severity: high
identifiers:
cce@rhel7: CCE-27128-8
cce@rhel8: CCE-80789-1
+ cce@sle12: CCE-83046-3
references:
cui: 3.13.16
@@ -58,6 +63,7 @@ references:
isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2'
cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
cis-csc: 13,14
+ stigid@sle12: SLES-12-010450
ocil_clause: 'partitions do not have a type of crypto_LUKS'
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
index f96cfc925b..c0bf1ee908 100644
--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80368-4
+ cce@sle12: CCE-83071-1
references:
disa: CCI-000366,CCI-001263
@@ -31,6 +32,7 @@ references:
iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
stigid@rhel7: RHEL-07-020019
+ stigid@sle12: SLES-12-010599
ocil_clause: 'the HBSS HIPS module is not installed'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index 699992b48c..23e939bbec 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -14,6 +14,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-27096-7
cce@rhel8: CCE-80844-4
+ cce@sle12: CCE-83048-9
references:
cis@rhel8: 1.4.1
@@ -30,6 +31,8 @@ references:
srg: SRG-OS-000363-GPOS-00150
cis@sle15: 1.4.1
ism: 1034,1288,1341,1417
+ stigid@sle12: SLES-12-010500
+ disa@sle12: CCI-002699
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
new file mode 100644
index 0000000000..6fca48166a
--- /dev/null
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+- name: Ensure GPG check is globally activated (zypper)
+ ini_file:
+ dest: /etc/zypp/zypp.conf
+ section: main
+ option: gpgcheck
+ value: 1
+ no_extra_spaces: yes
+ create: False
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
index 24cef5499c..1f86aff1e9 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
@@ -33,6 +33,7 @@ severity: high
identifiers:
cce@rhel7: CCE-26989-4
cce@rhel8: CCE-80790-9
+ cce@sle12: CCE-83068-7
references:
stigid@ol7: OL07-00-020050
@@ -54,6 +55,7 @@ references:
iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
cis-csc: 11,2,3,9
anssi: BP28(R15)
+ stigid@sle12: SLES-12-010550
ocil_clause: 'GPG checking is not enabled'
@@ -66,4 +68,8 @@ ocil: |-
<tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
disabled.
+{{% if product == 'sle12' %}}
+platform: zypper
+{{% else %}}
platform: yum
+{{% endif %}}
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index a6581fd713..7382b7dd30 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -74,3 +74,7 @@ cpes:
title: "Package yum is installed"
check_id: installed_env_has_yum_package
+ - zypper:
+ name: "cpe:/a:zypper"
+ title: "Package zypper is installed"
+ check_id: installed_env_has_zypper_package
diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml
new file mode 100644
index 0000000000..cf14e6af3c
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_zypper_package.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_env_has_zypper_package" version="1">
+ <metadata>
+ <title>Package zypper is installed</title>
+ <affected family="unix">
+ <platform>multi_platform_sle</platform>
+ </affected>
+ <description>Checks if package zypper is installed.</description>
+ <reference ref_id="cpe:/a:zypper" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package zypper is installed" test_ref="test_env_has_zypper_installed" />
+ </criteria>
+ </definition>
+
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+ id="test_env_has_zypper_installed" version="1"
+ comment="system has package zypper installed">
+ <linux:object object_ref="obj_env_has_zypper_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_zypper_installed" version="1">
+ <linux:name>zypper</linux:name>
+ </linux:rpminfo_object>
+</def-group>
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
index 47deee6e54..c4a83ad325 100644
--- a/shared/templates/kernel_module_disabled/ansible.template
+++ b/shared/templates/kernel_module_disabled/ansible.template
@@ -1,12 +1,20 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
# reboot = true
# strategy = disable
# complexity = low
# disruption = medium
+{{% if product == "sle12" %}}
+- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
+ lineinfile:
+ create: yes
+ dest: "/etc/modprobe.d/50-blacklist.conf"
+ regexp: '^blacklist {{{ KERNMODULE }}}$'
+ line: "blacklist {{{ KERNMODULE }}}"
+{{% else %}}
- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
lineinfile:
create: yes
dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf"
regexp: '{{{ KERNMODULE }}}'
line: "install {{{ KERNMODULE }}} /bin/true"
-
+{{% endif %}}
diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template
index 42c0830b5f..f70a9925cd 100644
--- a/shared/templates/kernel_module_disabled/bash.template
+++ b/shared/templates/kernel_module_disabled/bash.template
@@ -1,11 +1,18 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
# reboot = true
# strategy = disable
# complexity = low
# disruption = medium
+{{% if product == "sle12" %}}
+if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf
+ echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf
+fi
+{{% else %}}
if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then
sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
fi
+{{% endif %}}
diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template
index e5a7aaa8b4..737ae3c796 100644
--- a/shared/templates/kernel_module_disabled/oval.template
+++ b/shared/templates/kernel_module_disabled/oval.template
@@ -54,9 +54,14 @@
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_disabled"
version="1" comment="kernel module {{{ KERNMODULE }}} disabled">
+ {{% if product == "sle12" %}}
+ <ind:filepath>/etc/modprobe.d/50-blacklist.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^blacklist\s+{{{ KERNMODULE }}}$</ind:pattern>
+ {{% else %}}
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
<ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
+ {{% endif %}}
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/sle12/product.yml b/sle12/product.yml
index e465a6d687..d83ad88c21 100644
--- a/sle12/product.yml
+++ b/sle12/product.yml
@@ -9,6 +9,7 @@ profiles_root: "./profiles"
init_system: "systemd"
pkg_manager: "zypper"
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml"
cpes_root: "../shared/applicability"
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
index 6cf3339569..15c4f70336 100644
--- a/sle12/profiles/stig.profile
+++ b/sle12/profiles/stig.profile
@@ -12,34 +12,59 @@ selections:
- account_temp_expire_date
- accounts_have_homedir_login_defs
- accounts_logon_fail_delay
+ - accounts_max_concurrent_login_sessions
- accounts_maximum_age_login_defs
+ - accounts_minimum_age_login_defs
- accounts_no_uid_except_zero
- accounts_password_set_max_life_existing
- accounts_password_set_min_life_existing
- accounts_umask_etc_login_defs
+ - auditd_audispd_encrypt_sent_records
- auditd_data_disk_full_action
- auditd_data_retention_action_mail_acct
- auditd_data_retention_space_left
+ - banner_etc_issue
- banner_etc_motd
+ - dir_perms_world_writable_sticky_bits
- disable_ctrlaltdel_reboot
+ - encrypt_partitions
+ - ensure_gpgcheck_globally_activated
+ - file_permissions_sshd_private_key
+ - file_permissions_sshd_pub_key
+ - ftp_present_banner
- gnome_gdm_disable_automatic_login
- grub2_password
- grub2_uefi_password
- installed_OS_is_vendor_supported
+ - kernel_module_usb-storage_disabled
- no_empty_passwords
+ - no_files_unowned_by_user
- no_host_based_files
- no_user_host_based_files
+ - package_MFEhiplsm_installed
+ - package_aide_installed
- package_audit-audispd-plugins_installed
- package_audit_installed
+ - package_telnet-server_removed
- postfix_client_configure_mail_alias
- security_patches_up_to_date
- service_auditd_enabled
- set_password_hashing_algorithm_logindefs
+ - sshd_disable_compression
- sshd_disable_empty_passwords
- sshd_disable_user_known_hosts
- sshd_do_not_permit_user_env
+ - sshd_enable_strictmodes
+ - sshd_enable_warning_banner
- sshd_enable_x11_forwarding
+ - sshd_print_last_log
- sshd_set_idle_timeout
- sshd_set_keepalive
+ - sshd_set_loglevel_verbose
+ - sshd_use_priv_separation
- sudo_remove_no_authenticate
- sudo_remove_nopasswd
+ - sysctl_net_ipv4_conf_all_accept_source_route
+ - sysctl_net_ipv4_conf_default_accept_source_route
+ - sysctl_net_ipv4_conf_default_send_redirects
+ - sysctl_net_ipv6_conf_all_accept_source_route

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,259 @@
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
index abcebf60c7..50c7d689af 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -61,7 +61,6 @@ references:
nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
- stigid@rhel7: RHEL-07-040110
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
new file mode 100644
index 0000000000..4796a2eab1
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "Configure sshd to use approved ciphers"
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
+ state: present
+ regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
+ create: True
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
new file mode 100644
index 0000000000..8f751ed516
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
+
+if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
+ sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
+else
+ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
new file mode 100644
index 0000000000..53ff0a2a9e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
@@ -0,0 +1,38 @@
+<def-group>
+ <definition class="compliance" id="sshd_use_approved_ciphers_ordered_stig" version="1">
+ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}}
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
+ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check the Cipers list in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_approved_ciphers_ordered_stig" />
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
+ id="test_sshd_use_approved_ciphers_ordered_stig" version="1">
+ <ind:object object_ref="obj_sshd_use_approved_ciphers_ordered_stig" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
new file mode 100644
index 0000000000..0751064179
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
@@ -0,0 +1,64 @@
+documentation_complete: true
+
+prodtype: rhel7
+
+title: 'Use Only FIPS 140-2 Validated Ciphers'
+
+description: |-
+ Limit the ciphers to those algorithms which are FIPS-approved.
+ The following line in <tt>/etc/ssh/sshd_config</tt>
+ demonstrates use of FIPS-approved ciphers:
+ <pre>Ciphers aes256-ctr,aes192-ctr,aes128-ctr</pre>
+ This rule ensures that there are configured ciphers mentioned
+ above (or their subset), keeping the given order of algorithms.
+
+rationale: |-
+ Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
+ cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
+ <br />
+ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
+ cryptographic modules.
+ <br />
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
+ utilize authentication that meets industry and government requirements. For government systems, this allows
+ Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83398-8
+
+references:
+ disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
+ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+ stigid@rhel7: RHEL-07-040110
+
+ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
+
+ocil: |-
+ Only FIPS ciphers should be used. To verify that only FIPS-approved
+ ciphers are in use, run the following command:
+ <pre>$ sudo grep Ciphers /etc/ssh/sshd_config</pre>
+ The output should contain only following ciphers (or a subset) in the exact order:
+ <pre>aes256-ctr,aes192-ctr,aes128-ctr</pre>
+
+warnings:
+ - general: |-
+ The system needs to be rebooted for these changes to take effect.
+ - regulatory: |-
+ System Crypto Modules must be provided by a vendor that undergoes
+ FIPS-140 certifications.
+ FIPS-140 is applicable to all Federal agencies that use
+ cryptographic-based security systems to protect sensitive information
+ in computer and telecommunication systems (including voice systems) as
+ defined in Section 5131 of the Information Technology Management Reform
+ Act of 1996, Public Law 104-106. This standard shall be used in
+ designing and implementing cryptographic modules that Federal
+ departments and agencies operate or are operated for them under
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+ To meet this, the system has to have cryptographic software provided by
+ a vendor that has undergone this certification. This means providing
+ documentation, test results, design information, and independent third
+ party review by an accredited lab. While open source software is
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
+ submits to this process.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
new file mode 100644
index 0000000000..daff7d7c53
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
+else
+ echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
new file mode 100644
index 0000000000..b9d22262af
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
+else
+ echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
new file mode 100644
index 0000000000..b99d3832cd
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
+else
+ echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..6dfd54631c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
+else
+ echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
new file mode 100644
index 0000000000..7b38914a1a
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
new file mode 100644
index 0000000000..6fdb47093d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config
+else
+ echo 'Ciphers ' >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..24fdf0f30d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
+else
+ echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
+fi
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 6c06a8ede6..adf86894e1 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -239,8 +239,7 @@ selections:
- install_antivirus
- accounts_max_concurrent_login_sessions
- configure_firewalld_ports
- - sshd_approved_ciphers=stig
- - sshd_use_approved_ciphers
+ - sshd_use_approved_ciphers_ordered_stig
- accounts_tmout
- sshd_enable_warning_banner
- sssd_ldap_start_tls

View File

@ -0,0 +1,386 @@
From 5f8f98024f8955a0327b67f873923757a51d082c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 19 Jan 2021 12:32:07 +0100
Subject: [PATCH 1/7] add rule and remediations
---
.../ansible/shared.yml | 13 +++++
.../bash/shared.sh | 7 +++
.../oval/shared.xml | 38 +++++++++++++
.../rule.yml | 57 +++++++++++++++++++
shared/references/cce-redhat-avail.txt | 1 -
5 files changed, 115 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
new file mode 100644
index 0000000000..cefba7db05
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "Configure sshd to use approved MACs"
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ line: 'MACs hmac-sha2-512,hmac-sha2-256'
+ state: present
+ regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
+ create: True
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
new file mode 100644
index 0000000000..c76190fb96
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
+
+if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
+ sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
+else
+ echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
new file mode 100644
index 0000000000..d7fbd9f0ed
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
@@ -0,0 +1,38 @@
+<def-group>
+ <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1">
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
+ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check MACs in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_approved_macs_ordered_stig" />
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
+ id="test_sshd_use_approved_macs_ordered_stig" version="1">
+ <ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
new file mode 100644
index 0000000000..dc9f7dca7c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: rhel7
+
+title: 'Use Only FIPS 140-2 Validated MACs'
+
+description: |-
+ Limit the MACs to those hash algorithms which are FIPS-approved.
+ The following line in <tt>/etc/ssh/sshd_config</tt>
+ demonstrates use of FIPS-approved MACs:
+ <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
+ This rule ensures that there are configured MACs mentioned
+ above (or their subset), keeping the given order of algorithms.
+
+rationale: |-
+ DoD Information Systems are required to use FIPS-approved cryptographic hash
+ functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83398-8
+
+references:
+ disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
+ srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
+ stigid@rhel7: RHEL-07-040400
+
+ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
+
+ocil: |-
+ Only FIPS-approved MACs should be used. To verify that only FIPS-approved
+ MACs are in use, run the following command:
+ <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
+ The output should contain only following MACs (or a subset) in the exact order:
+ <pre>hmac-sha2-512,hmac-sha2-256</pre>
+
+warnings:
+ - general: |-
+ The system needs to be rebooted for these changes to take effect.
+ - regulatory: |-
+ System Crypto Modules must be provided by a vendor that undergoes
+ FIPS-140 certifications.
+ FIPS-140 is applicable to all Federal agencies that use
+ cryptographic-based security systems to protect sensitive information
+ in computer and telecommunication systems (including voice systems) as
+ defined in Section 5131 of the Information Technology Management Reform
+ Act of 1996, Public Law 104-106. This standard shall be used in
+ designing and implementing cryptographic modules that Federal
+ departments and agencies operate or are operated for them under
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+ To meet this, the system has to have cryptographic software provided by
+ a vendor that has undergone this certification. This means providing
+ documentation, test results, design information, and independent third
+ party review by an accredited lab. While open source software is
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
+ submits to this process.
From 18ea3b8671e15c06a5c1c864d9d1d67f4262189e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 19 Jan 2021 12:32:25 +0100
Subject: [PATCH 2/7] add tests
---
.../tests/comment.fail.sh | 7 +++++++
.../tests/correct_reduced_list.pass.sh | 7 +++++++
.../tests/correct_scrambled.fail.sh | 7 +++++++
.../tests/correct_value.pass.sh | 7 +++++++
.../tests/line_not_there.fail.sh | 3 +++
.../tests/no_parameters.fail.sh | 7 +++++++
.../tests/wrong_value.fail.sh | 7 +++++++
7 files changed, 45 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
new file mode 100644
index 0000000000..26bf18234c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
+else
+ echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
new file mode 100644
index 0000000000..0d922cdee9
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config
+else
+ echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
new file mode 100644
index 0000000000..ce3f459352
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config
+else
+ echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..19da7102a7
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
+else
+ echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
new file mode 100644
index 0000000000..fd1f19347a
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i "/^MACs.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
new file mode 100644
index 0000000000..44c07c6de0
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config
+else
+ echo 'MACs ' >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..cf56cd228f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config
+else
+ echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config
+fi
From a334b4b434adf92c94b8bd6bb888751782e70ad3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 19 Jan 2021 12:32:58 +0100
Subject: [PATCH 3/7] modify rhel7 stig profile
---
rhel7/profiles/stig.profile | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 6c06a8ede6..17c781d3eb 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -28,7 +28,6 @@ selections:
- inactivity_timeout_value=15_minutes
- var_screensaver_lock_delay=5_seconds
- sshd_idle_timeout_value=10_minutes
- - sshd_approved_macs=stig
- var_accounts_fail_delay=4
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
@@ -259,7 +258,7 @@ selections:
- sshd_print_last_log
- sshd_disable_root_login
- sshd_allow_only_protocol2
- - sshd_use_approved_macs
+ - sshd_use_approved_macs_ordered_stig
- file_permissions_sshd_pub_key
- file_permissions_sshd_private_key
- sshd_disable_gssapi_auth
From df71fc735efa8754a73fab5d355d422c6e0ffa53 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 19 Jan 2021 12:33:10 +0100
Subject: [PATCH 4/7] remove rhel7 stigid from sshd_use_approved_macs
---
.../services/ssh/ssh_server/sshd_use_approved_macs/rule.yml | 1 -
1 file changed, 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
index 394c733f51..d47eb443f5 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
@@ -54,7 +54,6 @@ references:
nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590
- stigid@rhel7: RHEL-07-040400
stigid@sle12: SLES-12-030180
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
isa-62443-2009: 4.3.3.5.1,4.3.3.6.6
From 9c24aaaba67f0123a82335672fd25aacd913caa4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 Jan 2021 11:43:16 +0100
Subject: [PATCH 5/7] simplify regex
---
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
index d7fbd9f0ed..5973488661 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
@@ -31,7 +31,7 @@
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
From e3973f4c2988308a2d1a18e67a730a059f791336 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 Jan 2021 11:55:19 +0100
Subject: [PATCH 6/7] make bash remediation more readable
---
.../sshd_use_approved_macs_ordered_stig/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
index c76190fb96..f8f6f39bee 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
@@ -1,6 +1,6 @@
# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
-if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
+if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
else
echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
From e5c379ac8cbd7bd42b116d3a5473a78406a662fd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 Jan 2021 13:05:18 +0100
Subject: [PATCH 7/7] one more small fix to oval regex
---
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
index 5973488661..b5443b07c4 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
@@ -31,7 +31,7 @@
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

View File

@ -0,0 +1,30 @@
From e5399b7bf17d5bdb995851b3d2a27f3ab2e6066a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 18 Jan 2021 15:21:51 +0100
Subject: [PATCH] Supress Ansible lint error 503
It says that Tasks that run when changed should likely be handlers.
However, we don't use handlers, and developer guide says that handlers
aren't supported. I assume handlers would cause problems for SCAP
scanners. Unless we start to support handlers this error isn't fixable
for us therefore we can suppress it globally.
Addressing problems in scap-security-guide-lint-check Jenkins job:
30/48 Test #260: ansible-playbook-ansible-lint-check-rhel8 .........***Failed 630.77 sec
all/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
anssi_bp28_enhanced/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
anssi_bp28_high/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
anssi_bp28_intermediary/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
---
tests/ansible-lint_config.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/ansible-lint_config.yml b/tests/ansible-lint_config.yml
index d5107476a9..e4b4443f8c 100644
--- a/tests/ansible-lint_config.yml
+++ b/tests/ansible-lint_config.yml
@@ -3,3 +3,4 @@ skip_list:
- '301' # Commands should not change things if nothing needs doing
- '303' # Using command rather than module
- '403' # Package installs should not use latest
+ - '503' # Tasks that run when changed should likely be handlers

View File

@ -0,0 +1,73 @@
From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 15 Jan 2021 16:28:07 +0100
Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable.
---
.../sshd_disable_x11_forwarding/rule.yml | 19 ++++++++++---------
.../sshd_enable_x11_forwarding/rule.yml | 1 -
rhel7/profiles/stig.profile | 2 +-
3 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 1779129f87..7da2e067a6 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -19,22 +19,23 @@ rationale: |-
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders.
-severity: low
+severity: medium
-ocil_clause: "that the X11Forwarding option exists and is enabled"
-
-ocil: |-
- {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
+{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}}
identifiers:
cce@rhel7: CCE-83359-0
cce@rhel8: CCE-83360-8
references:
- cis@rhel7: 5.2.4
- cis@rhel8: 5.2.6
- cis@sle12: 5.2.4
- cis@sle15: 5.2.6
+ cis@rhel7: 5.2.4
+ cis@rhel8: 5.2.6
+ cis@sle12: 5.2.4
+ cis@sle15: 5.2.6
+ stigid@rhel7: RHEL-07-040710
+ srg: SRG-OS-000480-GPOS-00227
+ disa: CCI-000366
+ nist: CM-6(b)
template:
name: sshd_lineinfile
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
index 803e581a0f..87c3cb7f5a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
@@ -29,7 +29,6 @@ references:
nist: CM-6(a),AC-17(a),AC-17(2)
nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
srg: SRG-OS-000480-GPOS-00227
- stigid@rhel7: RHEL-07-040710
stigid@sle12: SLES-12-030260
isa-62443-2013: 'SR 7.6'
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 817e0982e5..6c06a8ede6 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -285,7 +285,7 @@ selections:
- postfix_prevent_unrestricted_relay
- package_vsftpd_removed
- package_tftp-server_removed
- - sshd_enable_x11_forwarding
+ - sshd_disable_x11_forwarding
- sshd_x11_use_localhost
- tftpd_uses_secure_mode
- package_xorg-x11-server-common_removed

View File

@ -0,0 +1,688 @@
From e3dd773f905114c1d16ac3283611218a685f1722 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Feb 2021 09:17:15 +0100
Subject: [PATCH 1/5] Remove extends key from ANSSI intermediary profile
This is not necessary as the ANSSI controls file handles this.
---
rhel8/profiles/anssi_bp28_intermediary.profile | 1 -
1 file changed, 1 deletion(-)
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index 64a9b542a0..4d0029af1d 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -7,7 +7,6 @@ description:
Agence nationale de la sécurité des systèmes d''information. Based on
https://www.ssi.gouv.fr/.
-extends: anssi_bp28_minimal
selections:
- anssi:all:intermediary
From 48845dbde69e69a043fc90622f21dc73d6a72018 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Feb 2021 09:21:47 +0100
Subject: [PATCH 2/5] Update title and descriptions of ANSSI profiles
---
controls/anssi.yml | 2 +-
rhel7/profiles/anssi_nt28_enhanced.profile | 12 +++++++++---
rhel7/profiles/anssi_nt28_high.profile | 12 +++++++++---
rhel7/profiles/anssi_nt28_intermediary.profile | 14 ++++++++++----
rhel7/profiles/anssi_nt28_minimal.profile | 14 ++++++++++----
rhel8/profiles/anssi_bp28_enhanced.profile | 12 ++++++++----
rhel8/profiles/anssi_bp28_high.profile | 14 +++++++++-----
rhel8/profiles/anssi_bp28_intermediary.profile | 11 +++++++----
rhel8/profiles/anssi_bp28_minimal.profile | 12 ++++++++----
9 files changed, 71 insertions(+), 32 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 2173d23f9d..54c05245b7 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -1,5 +1,5 @@
policy: 'ANSSI-BP-028'
-title: 'ANSSI-BP-028'
+title: 'Configuration Recommendations of a GNU/Linux System'
id: anssi
version: '1.2'
source: https://www.ssi.gouv.fr/uploads/2019/03/linux_configuration-en-v1.2.pdf
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
index 5893d12dbd..49fa8593fe 100644
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -1,9 +1,15 @@
documentation_complete: true
-title: 'DRAFT - ANSSI DAT-BP28 (enhanced)'
+title: 'ANSSI BP-028 (enhanced)'
-description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:enhanced
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index 52ae1dd6d2..2853f20607 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -1,9 +1,15 @@
documentation_complete: true
-title: 'DRAFT - ANSSI DAT-BP28 (high)'
+title: 'DRAFT - ANSSI BP-028 (high)'
-description: 'Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes
- d''information. Based on https://www.ssi.gouv.fr/.'
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:high
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
index e18225247b..55f985a7a9 100644
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -1,10 +1,16 @@
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
documentation_complete: true
-title: 'DRAFT - ANSSI DAT-BP28 (intermediary)'
+title: 'ANSSI BP-028 (intermediary)'
-description: 'Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité
- des systèmes d''information. Based on https://www.ssi.gouv.fr/.'
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- - anssi:all:intermediary
+ - anssi:all:intermediary
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
index 214f37d14b..7786a26b45 100644
--- a/rhel7/profiles/anssi_nt28_minimal.profile
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
@@ -1,9 +1,15 @@
documentation_complete: true
-title: 'DRAFT - ANSSI DAT-BP28 (minimal)'
+title: 'ANSSI BP-028 (minimal)'
-description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- - anssi:all:minimal
+ - anssi:all:minimal
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
index 4c39852b65..49fa8593fe 100644
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -2,10 +2,14 @@ documentation_complete: true
title: 'ANSSI BP-028 (enhanced)'
-description:
- ANSSI BP-028 compliance at the enhanced level. ANSSI stands for
- Agence nationale de la sécurité des systèmes d'information. Based on
- https://www.ssi.gouv.fr/.
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:enhanced
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index 6b0489e0f1..2853f20607 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,11 +1,15 @@
documentation_complete: false
-title: 'ANSSI BP-028 (high)'
+title: 'DRAFT - ANSSI BP-028 (high)'
-description:
- ANSSI BP-028 compliance at the high level. ANSSI stands for
- Agence nationale de la sécurité des systèmes d'information. Based on
- https://www.ssi.gouv.fr/.
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:high
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index 4d0029af1d..50ab1ba0b8 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -2,11 +2,14 @@ documentation_complete: true
title: 'ANSSI BP-028 (intermediary)'
-description:
- ANSSI BP-028 compliance at the intermediary level. ANSSI stands for
- Agence nationale de la sécurité des systèmes d''information. Based on
- https://www.ssi.gouv.fr/.
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:intermediary
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
index d8f076c3e7..d477d34787 100644
--- a/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
@@ -2,10 +2,14 @@ documentation_complete: true
title: 'ANSSI BP-028 (minimal)'
-description:
- ANSSI BP-028 compliance at the minimal level. ANSSI stands for
- Agence nationale de la sécurité des systèmes d'information. Based on
- https://www.ssi.gouv.fr/.
+description: |-
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
+
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
- anssi:all:minimal
From 5ea9fe70c78df6c4278aec71b9ab000a9884cea7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Feb 2021 12:23:14 +0100
Subject: [PATCH 3/5] Add missing hyphen in ANSSI profiles descriptions
---
rhel7/profiles/anssi_nt28_enhanced.profile | 8 ++++----
rhel7/profiles/anssi_nt28_high.profile | 8 ++++----
rhel7/profiles/anssi_nt28_intermediary.profile | 8 ++++----
rhel7/profiles/anssi_nt28_minimal.profile | 8 ++++----
rhel8/profiles/anssi_bp28_enhanced.profile | 8 ++++----
rhel8/profiles/anssi_bp28_high.profile | 8 ++++----
rhel8/profiles/anssi_bp28_intermediary.profile | 8 ++++----
rhel8/profiles/anssi_bp28_minimal.profile | 8 ++++----
8 files changed, 32 insertions(+), 32 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
index 49fa8593fe..411f0c03aa 100644
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (enhanced)'
+title: 'ANSSI-BP-028 (enhanced)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index 2853f20607..d9147b2dd0 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'DRAFT - ANSSI BP-028 (high)'
+title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
index 55f985a7a9..6e39a978e5 100644
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -1,15 +1,15 @@
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
documentation_complete: true
-title: 'ANSSI BP-028 (intermediary)'
+title: 'ANSSI-BP-028 (intermediary)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
index 7786a26b45..f0a77bccd7 100644
--- a/rhel7/profiles/anssi_nt28_minimal.profile
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (minimal)'
+title: 'ANSSI-BP-028 (minimal)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
index 49fa8593fe..411f0c03aa 100644
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (enhanced)'
+title: 'ANSSI-BP-028 (enhanced)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index 2853f20607..d9147b2dd0 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,14 +1,14 @@
documentation_complete: false
-title: 'DRAFT - ANSSI BP-028 (high)'
+title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index 50ab1ba0b8..6dcd2b8ef2 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (intermediary)'
+title: 'ANSSI-BP-028 (intermediary)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
index d477d34787..54e8cbd5a6 100644
--- a/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
@@ -1,14 +1,14 @@
documentation_complete: true
-title: 'ANSSI BP-028 (minimal)'
+title: 'ANSSI-BP-028 (minimal)'
description: |-
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
selections:
From c111061d6f1b9c134cc4cff1b712c44f271bcf42 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 5 Feb 2021 11:11:57 +0100
Subject: [PATCH 4/5] Fix ANSSI document number for consistency
---
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
rhel7/profiles/anssi_nt28_high.profile | 2 +-
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
rhel8/profiles/anssi_bp28_high.profile | 2 +-
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
index 411f0c03aa..846ace9002 100644
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (enhanced)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index d9147b2dd0..e4db830291 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
index 6e39a978e5..4454976862 100644
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -4,7 +4,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (intermediary)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
index f0a77bccd7..cc2cbd8359 100644
--- a/rhel7/profiles/anssi_nt28_minimal.profile
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (minimal)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
index 411f0c03aa..846ace9002 100644
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (enhanced)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index d9147b2dd0..e4db830291 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -3,7 +3,7 @@ documentation_complete: false
title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index 6dcd2b8ef2..a9e0442257 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (intermediary)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
index 54e8cbd5a6..090b571bb6 100644
--- a/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'ANSSI-BP-028 (minimal)'
description: |-
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
From c4b11df5dabe389129f3cbc8a5bd9444fce09850 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 5 Feb 2021 16:05:07 +0100
Subject: [PATCH 5/5] Fix single quote in ANSSI name
Previously the description was enclosed in single quotes, requiring a
single quote to be escaped.
Now the description is not enclosed in single quotes and there is no
need to escape it.
---
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
rhel7/profiles/anssi_nt28_high.profile | 2 +-
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
rhel8/profiles/anssi_bp28_high.profile | 2 +-
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
index 846ace9002..bbc11353f3 100644
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index e4db830291..22efad9c09 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
index 4454976862..0c43ab8d73 100644
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
@@ -6,7 +6,7 @@ title: 'ANSSI-BP-028 (intermediary)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
index cc2cbd8359..480333747c 100644
--- a/rhel7/profiles/anssi_nt28_minimal.profile
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
index 846ace9002..bbc11353f3 100644
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index e4db830291..22efad9c09 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
index a9e0442257..a592031673 100644
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (intermediary)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
index 090b571bb6..cef8394114 100644
--- a/rhel8/profiles/anssi_bp28_minimal.profile
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:

View File

@ -0,0 +1,89 @@
From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 18 Jan 2021 11:18:43 +0100
Subject: [PATCH] Update metadata for a few miminal and intermediary
requirements
---
controls/anssi.yml | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index dec9d68c99..9288ac1663 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -506,7 +506,10 @@ controls:
- id: R27
title: Disabling service accounts
level: intermediary
- # rules: TBD
+ notes: >-
+ It is difficult to generally identify the system's service accounts.
+ Assisting rules could list users which are not disabled for manual review.
+ automated: no
- id: R28
level: enhanced
@@ -530,7 +533,10 @@ controls:
- id: R30
level: minimal
title: Applications using PAM
- # rules: TBD
+ notes: >-
+ Manual review is necessary to decide if the list of applications using PAM is minimal.
+ Asssising rules could be created to list all applications using PAM for manual review.
+ automated: no
- id: R31
title: Securing PAM Authentication Network Services
@@ -580,6 +586,7 @@ controls:
- id: R36
title: Rights to access sensitive content files
level: intermediary
+ automated: yes
rules:
- file_owner_etc_shadow
- file_permissions_etc_shadow
@@ -637,7 +644,10 @@ controls:
- id: R42
level: minimal
title: In memory services and daemons
- # rules: TBD
+ notes: >-
+ Manual review is necessary to decide if the list of resident daemons is minimal.
+ Asssising rules could be created to list sevices listening on the network for manual review.
+ automated: no
- id: R43
title: Hardening and configuring the syslog
@@ -709,6 +719,7 @@ controls:
- id: R48
level: intermediary
title: Configuring the local messaging service
+ automated: yes
rules:
- postfix_network_listening_disabled
@@ -825,6 +836,7 @@ controls:
level: intermediary
title: Privileges of target sudo users
description: The targeted users of a rule should be, as much as possible, non privileged users.
+ automated: yes
rules:
- sudoers_no_root_target
@@ -840,12 +852,14 @@ controls:
level: intermediary
title: Good use of negation in a sudoers file
description: The sudoers configuration rules should not involve negation.
+ automated: yes
rules:
- sudoers_no_command_negation
- id: R63
level: intermediary
title: Explicit arguments in sudo specifications
+ automated: yes
rules:
- sudoers_explicit_command_args

View File

@ -0,0 +1,352 @@
From cbede36c7a4e35cb882c35892cff72f9f190cbf9 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Mon, 8 Feb 2021 15:57:43 +0100
Subject: [PATCH 1/5] Add nodev,nosuid,noexec options to /boot in ANSSI
kickstart
---
rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 2 +-
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 2 +-
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 2 +-
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +-
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
index 1d35bedb91..c381512476 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
@@ -99,7 +99,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
index 73225c2fab..a672b38b83 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
@@ -103,7 +103,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
index 20c4c59a78..88a7cee8ab 100644
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
@@ -99,7 +99,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 728946ecb7..6f66a3774b 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -90,7 +90,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index cd0eff2625..b5c09253a5 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -94,7 +94,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index 3a241b06f4..fb785e0c11 100644
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -90,7 +90,7 @@ zerombr
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
-part /boot --fstype=xfs --size=512
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
From 15be64cc2d6c21b0351bb8d3d1b55b1924be99ca Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Tue, 9 Feb 2021 12:45:34 +0100
Subject: [PATCH 2/5] Add mount_option_nodev_nonroot_local_partitions bash
remediation
---
.../bash/shared.sh | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
new file mode 100644
index 0000000000..7e2b3bd76b
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
@@ -0,0 +1,18 @@
+# platform = multi_platform_all
+. /usr/share/scap-security-guide/remediation_functions
+
+include_mount_options_functions
+
+MOUNT_OPTION="nodev"
+# Create array of local non-root partitions
+readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w")
+
+for partition_record in "${partitions_records[@]}"; do
+ # Get all important information for fstab
+ mount_point="$(echo ${partition_record} | cut -d " " -f1)"
+ device="$(echo ${partition_record} | cut -d " " -f2)"
+ device_type="$(echo ${partition_record} | cut -d " " -f3)"
+ # device and device_type will be used only in case when the device doesn't have fstab record
+ ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type"
+ ensure_partition_is_mounted "$mount_point"
+done
From 36958b72896a69cb580f00a986673c8ae99cb011 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Tue, 9 Feb 2021 12:45:54 +0100
Subject: [PATCH 3/5] Add mount_option_nodev_nonroot_local_partitions test
scenarios
---
.../tests/correct.pass.sh | 23 +++++++++++++++++
.../local_mounted_during_runtime.fail.sh | 19 ++++++++++++++
.../tests/missing_multiple_nodev.fail.sh | 23 +++++++++++++++++
.../tests/missing_one_nodev.fail.sh | 23 +++++++++++++++++
.../tests/remote_without_nodev.pass.sh | 25 +++++++++++++++++++
5 files changed, 113 insertions(+)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
new file mode 100644
index 0000000000..8bfac4b80f
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+PARTITION="/dev/new_partition1"; create_partition
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
+mount_partition "/tmp/partition1"
+
+PARTITION="/dev/new_partition2"; create_partition
+make_fstab_given_partition_line "/tmp/partition2" ext2 nodev
+mount_partition "/tmp/partition2"
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
new file mode 100644
index 0000000000..84cadd6f73
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+PARTITION="/dev/new_partition1"; create_partition
+mkdir /tmp/test_dir
+mount $PARTITION /tmp/test_dir
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
new file mode 100644
index 0000000000..7a09093f46
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+PARTITION="/dev/new_partition1"; create_partition
+make_fstab_given_partition_line "/tmp/partition1" ext2
+mount_partition "/tmp/partition1"
+
+PARTITION="/dev/new_partition2"; create_partition
+make_fstab_given_partition_line "/tmp/partition2" ext2
+mount_partition "/tmp/partition2"
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
new file mode 100644
index 0000000000..c20a98bdcc
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+PARTITION="/dev/new_partition1"; create_partition
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
+mount_partition "/tmp/partition1"
+
+PARTITION="/dev/new_partition2"; create_partition
+make_fstab_given_partition_line "/tmp/partition2" ext2
+mount_partition "/tmp/partition2"
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
new file mode 100644
index 0000000000..a95410526f
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# packages = nfs-utils
+
+. $SHARED/partition.sh
+
+# Add nodev option to all records in fstab to ensure that test will
+# run on environment where everything is set correctly for rule check.
+cp /etc/fstab /etc/fstab.backup
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
+# Remount all partitions. (--all option can't be used because it doesn't
+# mount e.g. /boot partition
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
+for partition in ${partitions[@]}; do
+ mount -o remount "$partition"
+done
+
+mkdir /tmp/testdir
+mkdir /tmp/testmount
+chown 2 /tmp/testdir
+chmod 777 /tmp/testdir
+
+echo '/tmp/testdir localhost(rw)' > /etc/exports
+systemctl restart nfs-server
+mount.nfs localhost:/tmp/testdir /tmp/testmount
From b7bec83d7a3ad186413777f70fe2b5d20e01e56b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Feb 2021 18:32:26 +0100
Subject: [PATCH 4/5] Add Ansible for
mount_option_nodev_nonroot_local_partitions
The remediation metadata were inspired by the template mount_options
---
.../ansible/shared.yml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
new file mode 100644
index 0000000000..8530604308
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
@@ -0,0 +1,18 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = high
+
+- name: Ensure non-root local partitions are mounted with nodev option
+ mount:
+ path: "{{ item.mount }}"
+ src: "{{ item.device}}"
+ opts: "{{ item.options }},nodev"
+ state: "mounted"
+ fstype: "{{ item.fstype }}"
+ when:
+ - "item.mount is match('/\\w')"
+ - "item.options is not search('nodev')"
+ with_items:
+ - "{{ ansible_facts.mounts }}"
From dab22894ca0798dde27c77704a7fd34d62d77f8f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Feb 2021 20:29:32 +0100
Subject: [PATCH 5/5] Add space before and after variable
---
.../ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
index 8530604308..2aa9a53e4d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
@@ -7,7 +7,7 @@
- name: Ensure non-root local partitions are mounted with nodev option
mount:
path: "{{ item.mount }}"
- src: "{{ item.device}}"
+ src: "{{ item.device }}"
opts: "{{ item.options }},nodev"
state: "mounted"
fstype: "{{ item.fstype }}"

File diff suppressed because it is too large Load Diff

View File

@ -1,57 +1,47 @@
# Base name of static rhel6 content tarball
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.50 Version: 0.1.54
Release: 16%{?dist} Release: 5%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
Group: Applications/System Group: Applications/System
License: BSD License: BSD
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch Patch1: scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch Patch2: scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch Patch3: scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch Patch4: scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch Patch5: scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
# Patch6 already contains typo fix Patch6: scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch Patch7: scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch Patch8: scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch Patch9: scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch Patch10: scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch Patch11: scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch Patch12: scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch Patch13: scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch Patch14: scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch Patch15: scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
Patch15: scap-security-guide-0.1.52-fix_hipaa_description.patch Patch16: scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch
Patch16: scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch Patch17: scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
Patch17: scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch Patch18: scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch Patch19: scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch
Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch Patch20: scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch Patch21: scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch Patch22: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch
Patch22: scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch Patch23: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch
Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch Patch24: scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch
Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch Patch25: scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch Patch26: scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch
Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch Patch27: scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch
Patch27: scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch # Untill ANSSI High profile is shipped we drop the ks too
Patch28: scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch Patch28: remove-ANSSI-high-ks.patch
Patch29: scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
Patch30: scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
Patch31: scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
Patch32: scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
Patch33: scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
# To ease backport, patch 33 also includes changes from #5995
Patch34: scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
Patch35: scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
Patch36: scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
Patch37: scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
Patch38: scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
Patch39: scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
Patch40: scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
Patch41: scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
Patch42: scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
BuildArch: noarch BuildArch: noarch
@ -85,7 +75,7 @@ hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package. present in %{name} package.
%prep %prep
%setup -q %setup -q -b 1
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
@ -115,27 +105,12 @@ present in %{name} package.
%patch26 -p1 %patch26 -p1
%patch27 -p1 %patch27 -p1
%patch28 -p1 %patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
mkdir build mkdir build
%build %build
cd build cd build
%cmake \ %cmake \
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \ -DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ -DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ -DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
@ -148,6 +123,11 @@ cd build
cd build cd build
%make_install %make_install
# Manually install pre-built rhel6 content
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
%files %files
%{_datadir}/xml/scap/ssg/content %{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart %{_datadir}/%{name}/kickstart
@ -163,12 +143,39 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html %doc %{_docdir}/%{name}/tables/*.html
%changelog %changelog
* Fri Oct 09 2020 Watson Sato <wsato@redhat.com> - 0.1.50-16 * Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
- Fix Bash platform in empty remediations (rhbz#1886318) - Remove Kickstart for not shipped profile (RHBZ#1778188)
* Tue Oct 06 2020 Watson Sato <wsato@redhat.com> - 0.1.50-15 * Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
- Add and select zIPL bootloader rules in OSPP (rhbz#1886318) - Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
- Add support for remediation platforms
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
- Update to the latest upstream release (RHBZ#1889344)
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
- Update list of profiles built (RHBZ#1889344)
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Update to the latest upstream release (RHBZ#1889344)
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14 * Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962) - Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)