import scap-security-guide-0.1.54-5.el8
This commit is contained in:
parent
61c0c12b34
commit
34f8f34227
3
.gitignore
vendored
3
.gitignore
vendored
@ -1 +1,2 @@
|
||||
SOURCES/scap-security-guide-0.1.50.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.54.tar.bz2
|
||||
|
@ -1 +1,2 @@
|
||||
1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2
|
||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
9c53524d1f6741913b19394fad9216f25f3ae05d SOURCES/scap-security-guide-0.1.54.tar.bz2
|
||||
|
@ -1,24 +1,24 @@
|
||||
From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001
|
||||
From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 17 Jan 2020 19:01:22 +0100
|
||||
Date: Thu, 3 Dec 2020 14:35:47 +0100
|
||||
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
|
||||
|
||||
They raise too many errors and fails.
|
||||
Also disable tables for profiles that are not built.
|
||||
---
|
||||
rhel8/CMakeLists.txt | 2 --
|
||||
rhel8/CMakeLists.txt | 6 ------
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/cjis.profile | 2 +-
|
||||
rhel8/profiles/ism_o.profile | 2 +-
|
||||
rhel8/profiles/rhelh-stig.profile | 2 +-
|
||||
rhel8/profiles/rhelh-vpp.profile | 2 +-
|
||||
rhel8/profiles/rht-ccp.profile | 2 +-
|
||||
rhel8/profiles/standard.profile | 2 +-
|
||||
9 files changed, 8 insertions(+), 10 deletions(-)
|
||||
11 files changed, 10 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
|
||||
index 40f2b2b0f..492a8dae1 100644
|
||||
index d61689c97..5e444a101 100644
|
||||
--- a/rhel8/CMakeLists.txt
|
||||
+++ b/rhel8/CMakeLists.txt
|
||||
@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
|
||||
|
||||
@ -26,18 +26,44 @@ index 40f2b2b0f..492a8dae1 100644
|
||||
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
|
||||
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
|
||||
|
||||
# Uncomment when anssi profiles are marked documentation_complete: true
|
||||
#ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
|
||||
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
|
||||
-
|
||||
ssg_build_html_cce_table(${PRODUCT})
|
||||
|
||||
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index ccad93d67..6a854378c 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'ANSSI BP-028 (high)'
|
||||
|
||||
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
index 05ea9cdd6..9c55ac5b1 100644
|
||||
index 035d2705b..c6475f33e 100644
|
||||
--- a/rhel8/profiles/cjis.profile
|
||||
+++ b/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'Criminal Justice Information Services (CJIS) Security Policy'
|
||||
metadata:
|
||||
version: 5.4
|
||||
diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
|
||||
index a3c427c01..4605dea3b 100644
|
||||
--- a/rhel8/profiles/ism_o.profile
|
||||
+++ b/rhel8/profiles/ism_o.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
metadata:
|
||||
SMEs:
|
||||
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
|
||||
index 1efca5f44..c3d0b0964 100644
|
||||
--- a/rhel8/profiles/rhelh-stig.profile
|
||||
@ -79,5 +105,5 @@ index a63ae2cf3..da669bb84 100644
|
||||
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||||
|
||||
--
|
||||
2.21.1
|
||||
2.26.2
|
||||
|
||||
|
187
SOURCES/remove-ANSSI-high-ks.patch
Normal file
187
SOURCES/remove-ANSSI-high-ks.patch
Normal file
@ -0,0 +1,187 @@
|
||||
From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 17 Feb 2021 15:36:59 +0100
|
||||
Subject: [PATCH] Remove kickstart for profile not shipped
|
||||
|
||||
RHEL-8 ANSSI high is not shipped at the momment
|
||||
---
|
||||
.../ssg-rhel8-anssi_bp28_high-ks.cfg | 167 ------------------
|
||||
1 file changed, 167 deletions(-)
|
||||
delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
deleted file mode 100644
|
||||
index b5c09253a..000000000
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ /dev/null
|
||||
@@ -1,167 +0,0 @@
|
||||
-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
|
||||
-# Version: 0.0.1
|
||||
-# Date: 2020-12-10
|
||||
-#
|
||||
-# Based on:
|
||||
-# https://pykickstart.readthedocs.io/en/latest/
|
||||
-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
-
|
||||
-# Specify installation method to use for installation
|
||||
-# To use a different one comment out the 'url' one below, update
|
||||
-# the selected choice with proper options & un-comment it
|
||||
-#
|
||||
-# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
-# --url the URL to install from
|
||||
-#
|
||||
-# Example:
|
||||
-#
|
||||
-# url --url=http://192.168.122.1/image
|
||||
-#
|
||||
-# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
-# environment machine is to be installed in
|
||||
-#
|
||||
-# Other possible / supported installation methods:
|
||||
-# * install from the first CD-ROM/DVD drive on the system:
|
||||
-#
|
||||
-# cdrom
|
||||
-#
|
||||
-# * install from a directory of ISO images on a local drive:
|
||||
-#
|
||||
-# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
-#
|
||||
-# * install from provided NFS server:
|
||||
-#
|
||||
-# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
-#
|
||||
-# Set language to use during installation and the default language to use on the installed system (required)
|
||||
-lang en_US.UTF-8
|
||||
-
|
||||
-# Set system keyboard type / layout (required)
|
||||
-keyboard us
|
||||
-
|
||||
-# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
-# --onboot enable device at a boot time
|
||||
-# --device device to be activated and / or configured with the network command
|
||||
-# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
-# --noipv6 disable IPv6 on this device
|
||||
-#
|
||||
-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
-# "--bootproto=static" must be used. For example:
|
||||
-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
-#
|
||||
-network --onboot yes --bootproto dhcp --noipv6
|
||||
-
|
||||
-# Set the system's root password (required)
|
||||
-# Plaintext password is: server
|
||||
-# Refer to e.g.
|
||||
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
-# to see how to create encrypted password form for different plaintext password
|
||||
-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||
-
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
-# Set the system time zone (required)
|
||||
-timezone --utc America/New_York
|
||||
-
|
||||
-# Specify how the bootloader should be installed (required)
|
||||
-# Plaintext password is: password
|
||||
-# Refer to e.g.
|
||||
-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
-# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
-
|
||||
-# Initialize (format) all disks (optional)
|
||||
-zerombr
|
||||
-
|
||||
-# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
-# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
-#
|
||||
-# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
-# --linux erase all Linux partitions
|
||||
-# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
-clearpart --linux --initlabel
|
||||
-
|
||||
-# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-logvol swap --name=swap --vgname=VolGroup --size=2016
|
||||
-
|
||||
-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||
-# content - security policies - on the installed system.This add-on has been enabled by default
|
||||
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
|
||||
-# functionality will automatically be installed. However, by default, no policies are enforced,
|
||||
-# meaning that no checks are performed during or after installation unless specifically configured.
|
||||
-#
|
||||
-# Important
|
||||
-# Applying a security policy is not necessary on all systems. This screen should only be used
|
||||
-# when a specific policy is mandated by your organization rules or government regulations.
|
||||
-# Unlike most other commands, this add-on does not accept regular options, but uses key-value
|
||||
-# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
|
||||
-# Values can be optionally enclosed in single quotes (') or double quotes (").
|
||||
-#
|
||||
-# The following keys are recognized by the add-on:
|
||||
-# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
|
||||
-# - If the content-type is scap-security-guide, the add-on will use content provided by the
|
||||
-# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
|
||||
-# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
|
||||
-# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
|
||||
-# xccdf-id - ID of the benchmark you want to use.
|
||||
-# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
|
||||
-# profile - ID of the profile to be applied. Use default to apply the default profile.
|
||||
-# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
|
||||
-# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
|
||||
-#
|
||||
-# The following is an example %addon org_fedora_oscap section which uses content from the
|
||||
-# scap-security-guide on the installation media:
|
||||
-%addon org_fedora_oscap
|
||||
- content-type = scap-security-guide
|
||||
- profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
|
||||
-%end
|
||||
-
|
||||
-# Packages selection (%packages section is required)
|
||||
-%packages
|
||||
-
|
||||
-# Require @Base
|
||||
-@Base
|
||||
-
|
||||
-%end # End of %packages section
|
||||
-
|
||||
-# Reboot after the installation is complete (optional)
|
||||
-# --eject attempt to eject CD or DVD media before rebooting
|
||||
-reboot --eject
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,737 +0,0 @@
|
||||
From 3aae2f86f3d75b8bd931922152b9a6175ed18a6b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 23 Jun 2020 22:27:47 +0200
|
||||
Subject: [PATCH 1/5] Add check for zipl installed
|
||||
|
||||
Based and valid in RHEL, where zipl is part of s390utils-base.
|
||||
---
|
||||
rhel8/cpe/rhel8-cpe-dictionary.xml | 4 ++
|
||||
.../oval/installed_env_has_zipl_package.xml | 37 +++++++++++++++++++
|
||||
ssg/constants.py | 1 +
|
||||
3 files changed, 42 insertions(+)
|
||||
create mode 100644 shared/checks/oval/installed_env_has_zipl_package.xml
|
||||
|
||||
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
|
||||
index 694cbb5a4e..cccb3c5791 100644
|
||||
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
|
||||
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
|
||||
@@ -67,4 +67,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/shared/checks/oval/installed_env_has_zipl_package.xml b/shared/checks/oval/installed_env_has_zipl_package.xml
|
||||
new file mode 100644
|
||||
index 0000000000..ab6545669d
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_has_zipl_package.xml
|
||||
@@ -0,0 +1,37 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory"
|
||||
+ id="installed_env_has_zipl_package" version="1">
|
||||
+ <metadata>
|
||||
+ <title>System uses zIPL</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_all</platform>
|
||||
+ </affected>
|
||||
+ <description>Checks if system uses zIPL bootloader.</description>
|
||||
+ <reference ref_id="cpe:/a:zipl" source="CPE" />
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="Package s390utils-base is installed" test_ref="test_env_has_zipl_installed" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+{{% if pkg_system == "rpm" %}}
|
||||
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
|
||||
+ id="test_env_has_zipl_installed" version="1"
|
||||
+ comment="system has package zipl installed">
|
||||
+ <linux:object object_ref="obj_env_has_zipl_installed" />
|
||||
+ </linux:rpminfo_test>
|
||||
+ <linux:rpminfo_object id="obj_env_has_zipl_installed" version="1">
|
||||
+ <linux:name>s390utils-base</linux:name>
|
||||
+ </linux:rpminfo_object>
|
||||
+{{% elif pkg_system == "dpkg" %}}
|
||||
+ <linux:dpkginfo_test check="all" check_existence="all_exist"
|
||||
+ id="test_env_has_zipl_installed" version="1"
|
||||
+ comment="system has package zipl installed">
|
||||
+ <linux:object object_ref="obj_env_has_zipl_installed" />
|
||||
+ </linux:dpkginfo_test>
|
||||
+ <linux:dpkginfo_object id="obj_env_has_zipl_installed" version="1">
|
||||
+ <linux:name>s390utils-base</linux:name>
|
||||
+ </linux:dpkginfo_object>
|
||||
+{{% endif %}}
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/ssg/constants.py b/ssg/constants.py
|
||||
index fb20fe8107..f03aa87f09 100644
|
||||
--- a/ssg/constants.py
|
||||
+++ b/ssg/constants.py
|
||||
@@ -506,6 +506,7 @@
|
||||
"sssd": "cpe:/a:sssd",
|
||||
"systemd": "cpe:/a:systemd",
|
||||
"yum": "cpe:/a:yum",
|
||||
+ "zipl": "cpe:/a:zipl",
|
||||
}
|
||||
|
||||
# _version_name_map = {
|
||||
|
||||
From c70bdc89bf193f2fdf59cb8c3f06672fc43a0505 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 23 Jun 2020 22:33:07 +0200
|
||||
Subject: [PATCH 2/5] Set zipl and machine platforms for zipl content
|
||||
|
||||
Add zipl platform to bootloader-zipl and machine platform to all zipl
|
||||
rules.
|
||||
Final applicability of zipl rules is equivalent to "machine and zipl"
|
||||
CPE platform.
|
||||
---
|
||||
linux_os/guide/system/bootloader-zipl/group.yml | 2 +-
|
||||
.../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 ++
|
||||
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 ++
|
||||
.../guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml | 2 ++
|
||||
.../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 ++
|
||||
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 2 ++
|
||||
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 ++
|
||||
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 ++
|
||||
8 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
|
||||
index 36da84530c..64c6c8dffb 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/group.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
|
||||
@@ -8,4 +8,4 @@ description: |-
|
||||
options to it.
|
||||
The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
|
||||
|
||||
-platform: machine
|
||||
+platform: zipl
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
index 16c0b3f89a..2d31ef8ee7 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -38,3 +38,5 @@ ocil: |-
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 47a532d50f..40db232257 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -39,3 +39,5 @@ ocil: |-
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
index 5aa91c16aa..8d28d5495f 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
@@ -35,3 +35,5 @@ ocil: |-
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
index 8546325752..0a8e9a41e2 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -39,3 +39,5 @@ ocil: |-
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
index eaef25ce40..20c1448cc8 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
@@ -38,3 +38,5 @@ ocil: |-
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index 68e91a92d6..54ac688ea0 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -39,3 +39,5 @@ ocil: |-
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index 9624b43349..c5979a2016 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -36,3 +36,5 @@ ocil: |-
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
+
|
||||
+platform: machine
|
||||
|
||||
From 02f961ecbe8bcafab72f544c2bc0f9141b9fa8fa Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 23 Jun 2020 23:02:44 +0200
|
||||
Subject: [PATCH 3/5] Add check for grub2 installed
|
||||
|
||||
Apply new CPE grub2 to bootloader-grub2 group.
|
||||
---
|
||||
.../file_groupowner_efi_grub2_cfg/rule.yml | 2 +
|
||||
.../file_groupowner_grub2_cfg/rule.yml | 2 +
|
||||
.../file_owner_efi_grub2_cfg/rule.yml | 2 +
|
||||
.../file_owner_grub2_cfg/rule.yml | 2 +
|
||||
.../guide/system/bootloader-grub2/group.yml | 2 +-
|
||||
.../grub2_admin_username/rule.yml | 2 +
|
||||
.../grub2_enable_iommu_force/rule.yml | 2 +
|
||||
.../grub2_no_removeable_media/rule.yml | 2 +
|
||||
.../bootloader-grub2/grub2_password/rule.yml | 2 +
|
||||
.../grub2_uefi_admin_username/rule.yml | 2 +
|
||||
.../grub2_uefi_password/rule.yml | 2 +
|
||||
.../uefi_no_removeable_media/rule.yml | 2 +
|
||||
.../oval/installed_env_has_grub2_package.xml | 37 +++++++++++++++++++
|
||||
ssg/constants.py | 1 +
|
||||
14 files changed, 61 insertions(+), 1 deletion(-)
|
||||
create mode 100644 shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
|
||||
index b5b583bd28..a6ac6f7b6b 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
|
||||
@@ -51,6 +51,8 @@ ocil: |-
|
||||
{{{ ocil_file_group_owner(file="/boot/efi/EFI/redhat/grub.cfg", group="root") }}}
|
||||
{{%- endif %}}
|
||||
|
||||
+platform: machine
|
||||
+
|
||||
template:
|
||||
name: file_groupowner
|
||||
vars:
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
|
||||
index 9d89ff5755..93dbf5222d 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
|
||||
@@ -39,6 +39,8 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/grub2/grub.cfg", grou
|
||||
|
||||
ocil: '{{{ ocil_file_group_owner(file="/boot/grub2/grub.cfg", group="root") }}}'
|
||||
|
||||
+platform: machine
|
||||
+
|
||||
template:
|
||||
name: file_groupowner
|
||||
vars:
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
|
||||
index ed17987478..e2c118cf0a 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
|
||||
@@ -49,6 +49,8 @@ ocil: |-
|
||||
{{{ ocil_file_owner(file="/boot/efi/EFI/redhat/grub.cfg", owner="root") }}}
|
||||
{{%- endif %}}
|
||||
|
||||
+platform: machine
|
||||
+
|
||||
template:
|
||||
name: file_owner
|
||||
vars:
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
|
||||
index 9ce4c3d60b..5086553921 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
|
||||
@@ -37,6 +37,8 @@ ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/grub2/grub.cfg", owner="roo
|
||||
|
||||
ocil: '{{{ ocil_file_owner(file="/boot/grub2/grub.cfg", owner="root") }}}'
|
||||
|
||||
+platform: machine
|
||||
+
|
||||
template:
|
||||
name: file_owner
|
||||
vars:
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml
|
||||
index 69489bc0c2..4ffb40c0e8 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/group.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/group.yml
|
||||
@@ -15,4 +15,4 @@ description: |-
|
||||
with a password and ensure its configuration file's permissions
|
||||
are set properly.
|
||||
|
||||
-platform: machine
|
||||
+platform: grub2
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
|
||||
index 63a6a7a83c..15db01a75f 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
|
||||
@@ -68,3 +68,5 @@ warnings:
|
||||
|
||||
Also, do NOT manually add the superuser account and password to the
|
||||
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||||
index baade9c13e..d4f455e66a 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||||
@@ -17,3 +17,5 @@ identifiers:
|
||||
|
||||
references:
|
||||
anssi: NT28(R11)
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
|
||||
index 113726d34f..c8956c2f34 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
|
||||
@@ -37,3 +37,5 @@ ocil: |-
|
||||
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
|
||||
media which should not exist in the line:
|
||||
<pre>set root='hd0,msdos1'</pre>
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
|
||||
index 985b8727d7..b6e9774608 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
|
||||
@@ -72,3 +72,5 @@ warnings:
|
||||
|
||||
Also, do NOT manually add the superuser account and password to the
|
||||
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
|
||||
index 1926837db7..5abd86b9d9 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
|
||||
@@ -75,3 +75,5 @@ warnings:
|
||||
|
||||
Also, do NOT manually add the superuser account and password to the
|
||||
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
||||
index 3ce5a2df13..3114d2d27c 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
||||
@@ -73,3 +73,5 @@ warnings:
|
||||
|
||||
Also, do NOT manually add the superuser account and password to the
|
||||
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
|
||||
index c94185f3f4..5de05c057a 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
|
||||
@@ -35,3 +35,5 @@ ocil: |-
|
||||
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
|
||||
media which should not exist in the line:
|
||||
<pre>set root='hd0,msdos1'</pre>
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
new file mode 100644
|
||||
index 0000000000..e83f45bc3b
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
@@ -0,0 +1,37 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory"
|
||||
+ id="installed_env_has_grub2_package" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Package grub2 is installed</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_all</platform>
|
||||
+ </affected>
|
||||
+ <description>Checks if package grub2-pc is installed.</description>
|
||||
+ <reference ref_id="cpe:/a:grub2" source="CPE" />
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+{{% if pkg_system == "rpm" %}}
|
||||
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
|
||||
+ id="test_env_has_grub2_installed" version="1"
|
||||
+ comment="system has package grub2-pc installed">
|
||||
+ <linux:object object_ref="obj_env_has_grub2_installed" />
|
||||
+ </linux:rpminfo_test>
|
||||
+ <linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
|
||||
+ <linux:name>grub2-pc</linux:name>
|
||||
+ </linux:rpminfo_object>
|
||||
+{{% elif pkg_system == "dpkg" %}}
|
||||
+ <linux:dpkginfo_test check="all" check_existence="all_exist"
|
||||
+ id="test_env_has_grub2_installed" version="1"
|
||||
+ comment="system has package grub2-pc installed">
|
||||
+ <linux:object object_ref="obj_env_has_grub2_installed" />
|
||||
+ </linux:dpkginfo_test>
|
||||
+ <linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
|
||||
+ <linux:name>grub2-pc</linux:name>
|
||||
+ </linux:dpkginfo_object>
|
||||
+{{% endif %}}
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/ssg/constants.py b/ssg/constants.py
|
||||
index f03aa87f09..318763b219 100644
|
||||
--- a/ssg/constants.py
|
||||
+++ b/ssg/constants.py
|
||||
@@ -498,6 +498,7 @@
|
||||
"container": "cpe:/a:container",
|
||||
"chrony": "cpe:/a:chrony",
|
||||
"gdm": "cpe:/a:gdm",
|
||||
+ "grub2": "cpe:/a:grub2",
|
||||
"libuser": "cpe:/a:libuser",
|
||||
"nss-pam-ldapd": "cpe:/a:nss-pam-ldapd",
|
||||
"ntp": "cpe:/a:ntp",
|
||||
|
||||
From 8bb44ebe9c32b7916a7291b1fa5735b381494cfb Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 2 Jul 2020 16:58:14 +0200
|
||||
Subject: [PATCH 4/5] Move grub2_disable_interactive_boot to grub2 platform
|
||||
|
||||
It should have both platforms machine and grub2.
|
||||
But as the parent group is very broad, I cannot put parent group as
|
||||
machine.
|
||||
|
||||
As a side effect this change makes this rules applicable in containers.
|
||||
---
|
||||
.../accounts-physical/grub2_disable_interactive_boot/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
|
||||
index 3080470aa8..44ea1aa49a 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
|
||||
@@ -48,4 +48,4 @@ ocil: |-
|
||||
Presence of a <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> indicates
|
||||
that interactive boot is enabled at boot time.
|
||||
|
||||
-platform: machine
|
||||
+platform: grub2
|
||||
|
||||
From 17ba5bc9ecc955911b7a3ab30bcd221283472b3f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 23 Jun 2020 23:20:18 +0200
|
||||
Subject: [PATCH 5/5] Update CPE Dictionaries
|
||||
|
||||
Again, whenever a package CPE is added, all CPE dictionaries need to be
|
||||
updated.
|
||||
Because the project doesn't share CPEs among the products.
|
||||
---
|
||||
debian10/cpe/debian10-cpe-dictionary.xml | 5 +++++
|
||||
debian8/cpe/debian8-cpe-dictionary.xml | 5 +++++
|
||||
debian9/cpe/debian9-cpe-dictionary.xml | 5 +++++
|
||||
fedora/cpe/fedora-cpe-dictionary.xml | 5 +++++
|
||||
ol7/cpe/ol7-cpe-dictionary.xml | 5 +++++
|
||||
ol8/cpe/ol8-cpe-dictionary.xml | 5 +++++
|
||||
opensuse/cpe/opensuse-cpe-dictionary.xml | 5 +++++
|
||||
rhel7/cpe/rhel7-cpe-dictionary.xml | 5 +++++
|
||||
rhel8/cpe/rhel8-cpe-dictionary.xml | 5 +++++
|
||||
rhv4/cpe/rhv4-cpe-dictionary.xml | 5 +++++
|
||||
sle11/cpe/sle11-cpe-dictionary.xml | 5 +++++
|
||||
sle12/cpe/sle12-cpe-dictionary.xml | 5 +++++
|
||||
sle15/cpe/sle15-cpe-dictionary.xml | 5 +++++
|
||||
ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 5 +++++
|
||||
ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 5 +++++
|
||||
ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 5 +++++
|
||||
wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 5 +++++
|
||||
wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 5 +++++
|
||||
18 files changed, 90 insertions(+)
|
||||
|
||||
diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
|
||||
index 5cc27ceb79..f2dbd09cfc 100644
|
||||
--- a/debian10/cpe/debian10-cpe-dictionary.xml
|
||||
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
|
||||
@@ -27,6 +27,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
|
||||
index 38d490138a..f385709052 100644
|
||||
--- a/debian8/cpe/debian8-cpe-dictionary.xml
|
||||
+++ b/debian8/cpe/debian8-cpe-dictionary.xml
|
||||
@@ -27,6 +27,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
|
||||
index f01770b044..bc90a12bae 100644
|
||||
--- a/debian9/cpe/debian9-cpe-dictionary.xml
|
||||
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
|
||||
@@ -27,6 +27,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
|
||||
index 2964e320c2..ff7cebc322 100644
|
||||
--- a/fedora/cpe/fedora-cpe-dictionary.xml
|
||||
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
|
||||
@@ -62,6 +62,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
|
||||
index c153272121..613f853a6d 100644
|
||||
--- a/ol7/cpe/ol7-cpe-dictionary.xml
|
||||
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
|
||||
@@ -27,6 +27,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
|
||||
index 3fd74e53ca..912fe01346 100644
|
||||
--- a/ol8/cpe/ol8-cpe-dictionary.xml
|
||||
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
|
||||
@@ -27,6 +27,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
|
||||
index 1ab4e85ea8..7f485b800e 100644
|
||||
--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
|
||||
+++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
|
||||
@@ -42,6 +42,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
||||
index a5214e36f0..f232b7ed29 100644
|
||||
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
|
||||
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
||||
@@ -57,6 +57,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
|
||||
index cccb3c5791..eab827291f 100644
|
||||
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
|
||||
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
|
||||
@@ -32,6 +32,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
|
||||
index ce9b06dcae..db1b4b239b 100644
|
||||
--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
|
||||
+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
|
||||
@@ -32,6 +32,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
|
||||
index c732ecb48a..1b6b3e2518 100644
|
||||
--- a/sle11/cpe/sle11-cpe-dictionary.xml
|
||||
+++ b/sle11/cpe/sle11-cpe-dictionary.xml
|
||||
@@ -32,6 +32,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
|
||||
index 79daa31412..b1b66e1294 100644
|
||||
--- a/sle12/cpe/sle12-cpe-dictionary.xml
|
||||
+++ b/sle12/cpe/sle12-cpe-dictionary.xml
|
||||
@@ -32,6 +32,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/sle15/cpe/sle15-cpe-dictionary.xml b/sle15/cpe/sle15-cpe-dictionary.xml
|
||||
index 91d3d78b19..0ee5a1b817 100644
|
||||
--- a/sle15/cpe/sle15-cpe-dictionary.xml
|
||||
+++ b/sle15/cpe/sle15-cpe-dictionary.xml
|
||||
@@ -32,6 +32,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
|
||||
index df5abff723..7f3ce4271b 100644
|
||||
--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
|
||||
+++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
|
||||
@@ -27,6 +27,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
|
||||
index 6269344376..83f0c8c516 100644
|
||||
--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
|
||||
+++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
|
||||
@@ -27,6 +27,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
|
||||
index ccb285768e..77b78d74ec 100644
|
||||
--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
|
||||
+++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
|
||||
@@ -27,6 +27,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
||||
index 73e419c9ab..cc4e806a4d 100644
|
||||
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
||||
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
||||
@@ -26,6 +26,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
|
||||
index 8449ea1416..824c575a6a 100644
|
||||
--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
|
||||
+++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
|
||||
@@ -26,6 +26,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
@ -1,595 +0,0 @@
|
||||
From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 25 May 2020 14:33:06 +0200
|
||||
Subject: [PATCH 1/5] Add zIPL bootloader group
|
||||
|
||||
---
|
||||
linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
|
||||
new file mode 100644
|
||||
index 0000000000..36da84530c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
|
||||
@@ -0,0 +1,11 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'zIPL bootloader configuration'
|
||||
+
|
||||
+description: |-
|
||||
+ During the boot process, the bootloader is
|
||||
+ responsible for starting the execution of the kernel and passing
|
||||
+ options to it.
|
||||
+ The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
|
||||
+
|
||||
+platform: machine
|
||||
|
||||
From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 25 May 2020 15:26:19 +0200
|
||||
Subject: [PATCH 2/5] Add zIPL rule for early audit capability
|
||||
|
||||
---
|
||||
.../zipl_audit_argument/rule.yml | 40 +++++++++++++++++++
|
||||
1 file changed, 40 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..ce2bd60c59
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -0,0 +1,40 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
|
||||
+
|
||||
+description: |-
|
||||
+ To ensure all processes can be audited, even those which start prior to the audit daemon,
|
||||
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
|
||||
+ included in its options.
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+
|
||||
+ To ensure that new kernels and boot entries continue to enable audit,
|
||||
+ add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Each process on the system carries an "auditable" flag which indicates whether
|
||||
+ its activities can be audited. Although <tt>auditd</tt> takes care of enabling
|
||||
+ this for all processes which launch after it does, adding the kernel argument
|
||||
+ ensures it is set for every process during boot.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'auditing is not enabled at boot time'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that audit is enabled at boot time, check all boot entries with following command:
|
||||
+ <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
||||
+
|
||||
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
+
|
||||
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
+ and <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
|
||||
From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 26 May 2020 15:06:12 +0200
|
||||
Subject: [PATCH 3/5] Add few more zIPL kernel option rules
|
||||
|
||||
Add rules for following options:
|
||||
- audit_backlog_limit
|
||||
- selinux
|
||||
- audit_backlog_limit
|
||||
- enable_selinux
|
||||
- page_poison
|
||||
- pti
|
||||
- slub_debug
|
||||
- vsyscall
|
||||
---
|
||||
.../rule.yml | 41 +++++++++++++++++++
|
||||
.../zipl_enable_selinux/rule.yml | 37 +++++++++++++++++
|
||||
.../zipl_page_poison_argument/rule.yml | 41 +++++++++++++++++++
|
||||
.../zipl_pti_argument/rule.yml | 40 ++++++++++++++++++
|
||||
.../zipl_slub_debug_argument/rule.yml | 41 +++++++++++++++++++
|
||||
.../zipl_vsyscall_argument/rule.yml | 41 +++++++++++++++++++
|
||||
6 files changed, 241 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..08c5b53207
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -0,0 +1,41 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
|
||||
+
|
||||
+description: |-
|
||||
+ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
|
||||
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
|
||||
+ included in its options.
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+
|
||||
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
+ add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ audit_backlog_limit sets the queue length for audit events awaiting transfer
|
||||
+ to the audit daemon. Until the audit daemon is up and running, all log messages
|
||||
+ are stored in this queue. If the queue is overrun during boot process, the action
|
||||
+ defined by audit failure flag is taken.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'audit backlog limit is not configured'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that all boot entries extend the backlog limit;
|
||||
+ Check that all boot entries extend the log events queue:
|
||||
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
||||
+
|
||||
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
+
|
||||
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
+ and <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..e7a455b90c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
@@ -0,0 +1,37 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Ensure SELinux Not Disabled in zIPL'
|
||||
+
|
||||
+description: |-
|
||||
+ To ensure SELinux is not disabled at boot time,
|
||||
+ check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
|
||||
+ included in its options.
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Disabling a major host protection feature, such as SELinux, at boot time prevents
|
||||
+ it from confining system services at boot time. Further, it increases
|
||||
+ the chances that it will remain off during system operation.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'SELinux is disabled at boot time'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that selinux is not disabled at boot time;
|
||||
+ Check that no boot entry disables selinux:
|
||||
+ <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that disables SELinux.
|
||||
+
|
||||
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
+
|
||||
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
+ and <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..b8a2eecee6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -0,0 +1,41 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Enable page allocator poisoning in zIPL'
|
||||
+
|
||||
+description: |-
|
||||
+ To enable poisoning of free pages,
|
||||
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
|
||||
+ included in its options.
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+
|
||||
+ To ensure that new kernels and boot entries continue to enable page poisoning,
|
||||
+ add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Poisoning writes an arbitrary value to freed pages, so any modification or
|
||||
+ reference to that page after being freed or before being initialized will be
|
||||
+ detected and prevented.
|
||||
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
|
||||
+ Also prevents leak of data and detection of corrupted memory.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'page allocator poisoning is not enabled'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that page poisoning is enabled at boot time, check all boot entries with following command:
|
||||
+ <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
|
||||
+
|
||||
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
+
|
||||
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
+ and <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..4757871a5f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
@@ -0,0 +1,40 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
|
||||
+
|
||||
+description: |-
|
||||
+ To enable Kernel page-table isolation,
|
||||
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
||||
+ included in its options.
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+
|
||||
+ To ensure that new kernels and boot entries continue to enable page-table isolation,
|
||||
+ add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Kernel page-table isolation is a kernel feature that mitigates
|
||||
+ the Meltdown security vulnerability and hardens the kernel
|
||||
+ against attempts to bypass kernel address space layout
|
||||
+ randomization (KASLR).
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'Kernel page-table isolation is not enabled'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that page-table isolation is enabled at boot time, check all boot entries with following command:
|
||||
+ <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
||||
+
|
||||
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
+
|
||||
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
+ and <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..166dd41afd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -0,0 +1,41 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
|
||||
+
|
||||
+description: |-
|
||||
+ To enable poisoning of SLUB/SLAB objects,
|
||||
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
||||
+ included in its options.
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+
|
||||
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
+ add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Poisoning writes an arbitrary value to freed objects, so any modification or
|
||||
+ reference to that object after being freed or before being initialized will be
|
||||
+ detected and prevented.
|
||||
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
|
||||
+ Also prevents leak of data and detection of corrupted memory.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;
|
||||
+ <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that does not enable poisoning.
|
||||
+
|
||||
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
+
|
||||
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
+ and <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..6b95d16fb8
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -0,0 +1,41 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Disable vsyscalls in zIPL'
|
||||
+
|
||||
+description: |-
|
||||
+ To disable use of virtual syscalls,
|
||||
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
|
||||
+ included in its options.
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+
|
||||
+ To ensure that new kernels and boot entries continue to disable virtual syscalls,
|
||||
+ add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Poisoning writes an arbitrary value to freed pages, so any modification or
|
||||
+ reference to that page after being freed or before being initialized will be
|
||||
+ detected and prevented.
|
||||
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
|
||||
+ Also prevents leak of data and detection of corrupted memory.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'vsyscalls are enabled'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check that virtual syscalls are disabled at boot time, check all boot entries with following command:
|
||||
+ <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
|
||||
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
|
||||
+
|
||||
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
+
|
||||
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
+ and <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
|
||||
From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Jun 2020 13:29:39 +0200
|
||||
Subject: [PATCH 4/5] Fix formatting of zIPL rules
|
||||
|
||||
<pre> is renderend in a separate line, while <tt> is rendered inline.
|
||||
Add line breaks for better readability.
|
||||
---
|
||||
.../bootloader-zipl/zipl_audit_argument/rule.yml | 10 +++++-----
|
||||
.../zipl_audit_backlog_limit_argument/rule.yml | 10 +++++-----
|
||||
.../bootloader-zipl/zipl_enable_selinux/rule.yml | 8 ++++----
|
||||
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
|
||||
.../system/bootloader-zipl/zipl_pti_argument/rule.yml | 10 +++++-----
|
||||
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 10 +++++-----
|
||||
.../bootloader-zipl/zipl_vsyscall_argument/rule.yml | 10 +++++-----
|
||||
7 files changed, 34 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
index ce2bd60c59..16c0b3f89a 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
|
||||
description: |-
|
||||
To ensure all processes can be audited, even those which start prior to the audit daemon,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
|
||||
- included in its options.
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+ included in its options.<br />
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to enable audit,
|
||||
- add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+ add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
rationale: |-
|
||||
Each process on the system carries an "auditable" flag which indicates whether
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 08c5b53207..47a532d50f 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
|
||||
description: |-
|
||||
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
|
||||
- included in its options.
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+ included in its options.<br />
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
- add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+ add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
rationale: |-
|
||||
audit_backlog_limit sets the queue length for audit events awaiting transfer
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
index e7a455b90c..5aa91c16aa 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL'
|
||||
description: |-
|
||||
To ensure SELinux is not disabled at boot time,
|
||||
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
|
||||
- included in its options.
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+ included in its options.<br />
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
rationale: |-
|
||||
Disabling a major host protection feature, such as SELinux, at boot time prevents
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
index b8a2eecee6..8546325752 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL'
|
||||
description: |-
|
||||
To enable poisoning of free pages,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
|
||||
- included in its options.
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+ included in its options.<br />
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to enable page poisoning,
|
||||
- add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+ add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
rationale: |-
|
||||
Poisoning writes an arbitrary value to freed pages, so any modification or
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
index 4757871a5f..eaef25ce40 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
|
||||
description: |-
|
||||
To enable Kernel page-table isolation,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
||||
- included in its options.
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+ included in its options.<br />
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to enable page-table isolation,
|
||||
- add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+ add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
rationale: |-
|
||||
Kernel page-table isolation is a kernel feature that mitigates
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index 166dd41afd..68e91a92d6 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
|
||||
description: |-
|
||||
To enable poisoning of SLUB/SLAB objects,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
||||
- included in its options.
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+ included in its options.<br />
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
- add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+ add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
rationale: |-
|
||||
Poisoning writes an arbitrary value to freed objects, so any modification or
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index 6b95d16fb8..8d39337f9e 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL'
|
||||
description: |-
|
||||
To disable use of virtual syscalls,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
|
||||
- included in its options.
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
|
||||
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
|
||||
+ included in its options.<br />
|
||||
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to disable virtual syscalls,
|
||||
- add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
|
||||
+ add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
rationale: |-
|
||||
Poisoning writes an arbitrary value to freed pages, so any modification or
|
||||
|
||||
From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Jun 2020 13:08:07 +0200
|
||||
Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale
|
||||
|
||||
copy-pasta error
|
||||
---
|
||||
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++-----
|
||||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index 8d39337f9e..9624b43349 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -16,11 +16,8 @@ description: |-
|
||||
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
rationale: |-
|
||||
- Poisoning writes an arbitrary value to freed pages, so any modification or
|
||||
- reference to that page after being freed or before being initialized will be
|
||||
- detected and prevented.
|
||||
- This prevents many types of use-after-free vulnerabilities at little performance cost.
|
||||
- Also prevents leak of data and detection of corrupted memory.
|
||||
+ Virtual Syscalls provide an opportunity of attack for a user who has control
|
||||
+ of the return instruction pointer.
|
||||
|
||||
severity: medium
|
||||
|
@ -1,71 +0,0 @@
|
||||
From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 12 May 2020 08:17:20 +0200
|
||||
Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 33 +++++++++++++++++++
|
||||
1 file changed, 33 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..5d76b3c073
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
|
||||
@@ -0,0 +1,33 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Configure daily log rotation in /etc/logrotate.conf
|
||||
+ lineinfile:
|
||||
+ create: yes
|
||||
+ dest: "/etc/logrotate.conf"
|
||||
+ regexp: "^daily$"
|
||||
+ line: "daily"
|
||||
+
|
||||
+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
|
||||
+ lineinfile:
|
||||
+ create: no
|
||||
+ dest: "/etc/logrotate.conf"
|
||||
+ regexp: "^(weekly|monthly|yearly)$"
|
||||
+ state: absent
|
||||
+
|
||||
+- name: Configure cron.daily if not already
|
||||
+ block:
|
||||
+ - name: Add shebang
|
||||
+ lineinfile:
|
||||
+ path: "/etc/cron.daily/logrotate"
|
||||
+ line: "#!/bin/sh"
|
||||
+ insertbefore: BOF
|
||||
+ create: yes
|
||||
+ - name: Add logrotate call
|
||||
+ lineinfile:
|
||||
+ path: "/etc/cron.daily/logrotate"
|
||||
+ line: '/usr/sbin/logrotate /etc/logrotate.conf'
|
||||
+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
|
||||
|
||||
From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 12 May 2020 14:48:15 +0200
|
||||
Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
|
||||
|
||||
Test scenario when monthly is there, but weekly is not.
|
||||
---
|
||||
.../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b10362989b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i "s/weekly/daily/g" /etc/logrotate.conf
|
||||
+echo "monthly" >> /etc/logrotate.conf
|
@ -1,115 +0,0 @@
|
||||
From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 13 May 2020 20:49:08 +0200
|
||||
Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
|
||||
|
||||
---
|
||||
.../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
|
||||
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
|
||||
2 files changed, 22 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a816eea390
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_cis
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+#!/bin/bash
|
||||
+SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
+
|
||||
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
||||
+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
|
||||
+ else
|
||||
+ echo "MaxSessions 4" >> $SSHD_CONFIG
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b36125f5bb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_cis
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+#!/bin/bash
|
||||
+SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
+
|
||||
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
||||
+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
|
||||
+ else
|
||||
+ echo "MaxSessions 10" >> $SSHD_CONFIG
|
||||
+fi
|
||||
|
||||
From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 13 May 2020 20:53:50 +0200
|
||||
Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
|
||||
|
||||
---
|
||||
.../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
|
||||
.../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
|
||||
.../tests/correct_value.pass.sh | 2 +-
|
||||
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
|
||||
4 files changed, 22 insertions(+), 2 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..a7e171dfe9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
||||
@@ -0,0 +1,8 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+- (xccdf-var var_sshd_max_sessions)
|
||||
+
|
||||
+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fc0a1d8b42
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+# Include source function library.
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+populate var_sshd_max_sessions
|
||||
+
|
||||
+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
index a816eea390..4cc6d65988 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
||||
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
||||
sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
|
||||
else
|
||||
- echo "MaxSessions 4" >> $SSHD_CONFIG
|
||||
+ echo "MaxSessions 4" >> $SSHD_CONFIG
|
||||
fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
index b36125f5bb..bc0c47842a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
||||
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
|
||||
if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
||||
sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
|
||||
else
|
||||
- echo "MaxSessions 10" >> $SSHD_CONFIG
|
||||
+ echo "MaxSessions 10" >> $SSHD_CONFIG
|
||||
fi
|
@ -1,147 +0,0 @@
|
||||
From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 11:52:35 +0200
|
||||
Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
|
||||
|
||||
Very likey a copy-pasta error from bash remediation for
|
||||
audit_rules_immutable
|
||||
---
|
||||
.../audit_rules_system_shutdown/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
index 1c9748ce9b..b56513cdcd 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
@@ -8,7 +8,7 @@
|
||||
# files to check if '-f .*' setting is present in that '*.rules' file already.
|
||||
# If found, delete such occurrence since auditctl(8) manual page instructs the
|
||||
# '-f 2' rule should be placed as the last rule in the configuration
|
||||
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
|
||||
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
|
||||
|
||||
# Append '-f 2' requirement at the end of both:
|
||||
# * /etc/audit/audit.rules file (for auditctl case)
|
||||
|
||||
From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 12:12:21 +0200
|
||||
Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
|
||||
|
||||
Along with very basic test scenarios
|
||||
---
|
||||
.../ansible/shared.yml | 28 +++++++++++++++++++
|
||||
.../tests/augen_correct.pass.sh | 4 +++
|
||||
.../tests/augen_e_2_immutable.fail.sh | 3 ++
|
||||
3 files changed, 35 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..b9e8fa87fa
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
|
||||
@@ -0,0 +1,28 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = true
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Collect all files from /etc/audit/rules.d with .rules extension
|
||||
+ find:
|
||||
+ paths: "/etc/audit/rules.d/"
|
||||
+ patterns: "*.rules"
|
||||
+ register: find_rules_d
|
||||
+
|
||||
+- name: Remove the -f option from all Audit config files
|
||||
+ lineinfile:
|
||||
+ path: "{{ item }}"
|
||||
+ regexp: '^\s*(?:-f)\s+.*$'
|
||||
+ state: absent
|
||||
+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
|
||||
+
|
||||
+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
|
||||
+ lineinfile:
|
||||
+ path: "{{ item }}"
|
||||
+ create: True
|
||||
+ line: "-f 2"
|
||||
+ loop:
|
||||
+ - "/etc/audit/audit.rules"
|
||||
+ - "/etc/audit/rules.d/immutable.rules"
|
||||
+
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..0587b937e0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
|
||||
+echo "-f 2" >> /etc/audit/rules.d/immutable.rules
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fa5b7231df
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
|
||||
|
||||
From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 14:06:08 +0200
|
||||
Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
|
||||
|
||||
---
|
||||
.../audit_rules_immutable/ansible/shared.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
||||
index 5ac7b3dabb..1cafb744cc 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
|
||||
@@ -17,7 +17,7 @@
|
||||
state: absent
|
||||
loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
|
||||
|
||||
-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
|
||||
+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
|
||||
lineinfile:
|
||||
path: "{{ item }}"
|
||||
create: True
|
||||
|
||||
From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 19 May 2020 11:02:56 +0200
|
||||
Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
|
||||
|
||||
---
|
||||
.../audit_rules_system_shutdown/bash/shared.sh | 8 --------
|
||||
1 file changed, 8 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
index b56513cdcd..a349bb1ca1 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
|
||||
@@ -4,16 +4,8 @@
|
||||
#
|
||||
# /etc/audit/audit.rules, (for auditctl case)
|
||||
# /etc/audit/rules.d/*.rules (for augenrules case)
|
||||
-#
|
||||
-# files to check if '-f .*' setting is present in that '*.rules' file already.
|
||||
-# If found, delete such occurrence since auditctl(8) manual page instructs the
|
||||
-# '-f 2' rule should be placed as the last rule in the configuration
|
||||
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
|
||||
|
||||
-# Append '-f 2' requirement at the end of both:
|
||||
-# * /etc/audit/audit.rules file (for auditctl case)
|
||||
-# * /etc/audit/rules.d/immutable.rules (for augenrules case)
|
||||
-
|
||||
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
|
||||
do
|
||||
echo '' >> $AUDIT_FILE
|
@ -1,49 +0,0 @@
|
||||
From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 21 May 2020 18:16:43 +0200
|
||||
Subject: [PATCH] Attribute content to CIS
|
||||
|
||||
And update the description a bit.
|
||||
---
|
||||
rhel7/profiles/cis.profile | 8 +++++---
|
||||
rhel8/profiles/cis.profile | 8 +++++---
|
||||
2 files changed, 10 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
||||
index 0826a49547..829c388133 100644
|
||||
--- a/rhel7/profiles/cis.profile
|
||||
+++ b/rhel7/profiles/cis.profile
|
||||
@@ -3,9 +3,11 @@ documentation_complete: true
|
||||
title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
|
||||
|
||||
description: |-
|
||||
- This baseline aligns to the Center for Internet Security
|
||||
- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
|
||||
- 12-27-2017.
|
||||
+ This profile defines a baseline that aligns to the Center for Internet Security®
|
||||
+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
|
||||
+
|
||||
+ This profile includes Center for Internet Security®
|
||||
+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
|
||||
|
||||
selections:
|
||||
# Necessary for dconf rules
|
||||
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
|
||||
index f332ee5462..868b9f21a6 100644
|
||||
--- a/rhel8/profiles/cis.profile
|
||||
+++ b/rhel8/profiles/cis.profile
|
||||
@@ -3,9 +3,11 @@ documentation_complete: true
|
||||
title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
|
||||
|
||||
description: |-
|
||||
- This baseline aligns to the Center for Internet Security
|
||||
- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
|
||||
- 09-30-2019.
|
||||
+ This profile defines a baseline that aligns to the Center for Internet Security®
|
||||
+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
|
||||
+
|
||||
+ This profile includes Center for Internet Security®
|
||||
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
|
||||
|
||||
selections:
|
||||
# Necessary for dconf rules
|
@ -1,274 +0,0 @@
|
||||
From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 25 May 2020 12:17:48 +0200
|
||||
Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
|
||||
|
||||
---
|
||||
rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
|
||||
rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
|
||||
2 files changed, 250 insertions(+)
|
||||
create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
|
||||
create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
|
||||
new file mode 100644
|
||||
index 0000000000..14c82c4231
|
||||
--- /dev/null
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
|
||||
@@ -0,0 +1,125 @@
|
||||
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
|
||||
+# Version: 0.0.1
|
||||
+# Date: 2020-05-25
|
||||
+#
|
||||
+# Based on:
|
||||
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
|
||||
+
|
||||
+# Install a fresh new system (optional)
|
||||
+install
|
||||
+
|
||||
+# Specify installation method to use for installation
|
||||
+# To use a different one comment out the 'url' one below, update
|
||||
+# the selected choice with proper options & un-comment it
|
||||
+#
|
||||
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
+# --url the URL to install from
|
||||
+#
|
||||
+# Example:
|
||||
+#
|
||||
+# url --url=http://192.168.122.1/image
|
||||
+#
|
||||
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
+# environment machine is to be installed in
|
||||
+#
|
||||
+# Other possible / supported installation methods:
|
||||
+# * install from the first CD-ROM/DVD drive on the system:
|
||||
+#
|
||||
+# cdrom
|
||||
+#
|
||||
+# * install from a directory of ISO images on a local drive:
|
||||
+#
|
||||
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
+#
|
||||
+# * install from provided NFS server:
|
||||
+#
|
||||
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
+#
|
||||
+
|
||||
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||
+lang en_US.UTF-8
|
||||
+
|
||||
+# Set system keyboard type / layout (required)
|
||||
+keyboard us
|
||||
+
|
||||
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
+# --onboot enable device at a boot time
|
||||
+# --device device to be activated and / or configured with the network command
|
||||
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
+# --noipv6 disable IPv6 on this device
|
||||
+#
|
||||
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
+# "--bootproto=static" must be used. For example:
|
||||
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
+#
|
||||
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
+
|
||||
+# Set the system's root password (required)
|
||||
+# Plaintext password is: server
|
||||
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||
+# encrypted password form for different plaintext password
|
||||
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
|
||||
+
|
||||
+# The selected profile will restrict root login
|
||||
+# Add a user that can login and escalate privileges
|
||||
+# Plaintext password is: admin123
|
||||
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
+
|
||||
+# Configure firewall settings for the system (optional)
|
||||
+# --enabled reject incoming connections that are not in response to outbound requests
|
||||
+# --ssh allow sshd service through the firewall
|
||||
+firewall --enabled --ssh
|
||||
+
|
||||
+# Set up the authentication options for the system (required)
|
||||
+# --enableshadow enable shadowed passwords by default
|
||||
+# --passalgo hash / crypt algorithm for new passwords
|
||||
+# See the manual page for authconfig for a complete list of possible options.
|
||||
+authconfig --enableshadow --passalgo=sha512
|
||||
+
|
||||
+# State of SELinux on the installed system (optional)
|
||||
+# Defaults to enforcing
|
||||
+selinux --enforcing
|
||||
+
|
||||
+# Set the system time zone (required)
|
||||
+timezone --utc America/New_York
|
||||
+
|
||||
+# Specify how the bootloader should be installed (required)
|
||||
+# Plaintext password is: password
|
||||
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||
+# encrypted password form for different plaintext password
|
||||
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
|
||||
+
|
||||
+# Initialize (format) all disks (optional)
|
||||
+zerombr
|
||||
+
|
||||
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
+#
|
||||
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
+# --linux erase all Linux partitions
|
||||
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
+clearpart --linux --initlabel
|
||||
+
|
||||
+# Create primary system partitions (required for installs)
|
||||
+autopart
|
||||
+
|
||||
+# Harden installation with HIPAA profile
|
||||
+# For more details and configuration options see command %addon org_fedora_oscap in
|
||||
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
|
||||
+%addon org_fedora_oscap
|
||||
+ content-type = scap-security-guide
|
||||
+ profile = xccdf_org.ssgproject.content_profile_hipaa
|
||||
+%end
|
||||
+
|
||||
+# Packages selection (%packages section is required)
|
||||
+%packages
|
||||
+
|
||||
+# Require @Base
|
||||
+@Base
|
||||
+
|
||||
+%end # End of %packages section
|
||||
+
|
||||
+# Reboot after the installation is complete (optional)
|
||||
+# --eject attempt to eject CD or DVD media before rebooting
|
||||
+reboot --eject
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
|
||||
new file mode 100644
|
||||
index 0000000000..861db36f18
|
||||
--- /dev/null
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
|
||||
@@ -0,0 +1,125 @@
|
||||
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
|
||||
+# Version: 0.0.1
|
||||
+# Date: 2020-05-25
|
||||
+#
|
||||
+# Based on:
|
||||
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
|
||||
+
|
||||
+# Install a fresh new system (optional)
|
||||
+install
|
||||
+
|
||||
+# Specify installation method to use for installation
|
||||
+# To use a different one comment out the 'url' one below, update
|
||||
+# the selected choice with proper options & un-comment it
|
||||
+#
|
||||
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
+# --url the URL to install from
|
||||
+#
|
||||
+# Example:
|
||||
+#
|
||||
+# url --url=http://192.168.122.1/image
|
||||
+#
|
||||
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
+# environment machine is to be installed in
|
||||
+#
|
||||
+# Other possible / supported installation methods:
|
||||
+# * install from the first CD-ROM/DVD drive on the system:
|
||||
+#
|
||||
+# cdrom
|
||||
+#
|
||||
+# * install from a directory of ISO images on a local drive:
|
||||
+#
|
||||
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
+#
|
||||
+# * install from provided NFS server:
|
||||
+#
|
||||
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
+#
|
||||
+
|
||||
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||
+lang en_US.UTF-8
|
||||
+
|
||||
+# Set system keyboard type / layout (required)
|
||||
+keyboard us
|
||||
+
|
||||
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
+# --onboot enable device at a boot time
|
||||
+# --device device to be activated and / or configured with the network command
|
||||
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
+# --noipv6 disable IPv6 on this device
|
||||
+#
|
||||
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
+# "--bootproto=static" must be used. For example:
|
||||
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
+#
|
||||
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
+
|
||||
+# Set the system's root password (required)
|
||||
+# Plaintext password is: server
|
||||
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||
+# encrypted password form for different plaintext password
|
||||
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
|
||||
+
|
||||
+# The selected profile will restrict root login
|
||||
+# Add a user that can login and escalate privileges
|
||||
+# Plaintext password is: admin123
|
||||
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
+
|
||||
+# Configure firewall settings for the system (optional)
|
||||
+# --enabled reject incoming connections that are not in response to outbound requests
|
||||
+# --ssh allow sshd service through the firewall
|
||||
+firewall --enabled --ssh
|
||||
+
|
||||
+# Set up the authentication options for the system (required)
|
||||
+# sssd profile sets sha512 to hash passwords
|
||||
+# passwords are shadowed by default
|
||||
+# See the manual page for authselect-profile for a complete list of possible options.
|
||||
+authselect select sssd
|
||||
+
|
||||
+# State of SELinux on the installed system (optional)
|
||||
+# Defaults to enforcing
|
||||
+selinux --enforcing
|
||||
+
|
||||
+# Set the system time zone (required)
|
||||
+timezone --utc America/New_York
|
||||
+
|
||||
+# Specify how the bootloader should be installed (required)
|
||||
+# Plaintext password is: password
|
||||
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||
+# encrypted password form for different plaintext password
|
||||
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
|
||||
+
|
||||
+# Initialize (format) all disks (optional)
|
||||
+zerombr
|
||||
+
|
||||
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
+#
|
||||
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
+# --linux erase all Linux partitions
|
||||
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
+clearpart --linux --initlabel
|
||||
+
|
||||
+# Create primary system partitions (required for installs)
|
||||
+autopart
|
||||
+
|
||||
+# Harden installation with HIPAA profile
|
||||
+# For more details and configuration options see
|
||||
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
|
||||
+%addon org_fedora_oscap
|
||||
+ content-type = scap-security-guide
|
||||
+ profile = xccdf_org.ssgproject.content_profile_hipaa
|
||||
+%end
|
||||
+
|
||||
+# Packages selection (%packages section is required)
|
||||
+%packages
|
||||
+
|
||||
+# Require @Base
|
||||
+@Base
|
||||
+
|
||||
+%end # End of %packages section
|
||||
+
|
||||
+# Reboot after the installation is complete (optional)
|
||||
+# --eject attempt to eject CD or DVD media before rebooting
|
||||
+reboot --eject
|
@ -1,76 +0,0 @@
|
||||
From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 22 May 2020 14:12:18 +0200
|
||||
Subject: [PATCH] Add missing CCEs for RHEL8
|
||||
|
||||
---
|
||||
.../password_storage/no_netrc_files/rule.yml | 1 +
|
||||
.../accounts_user_interactive_home_directory_exists/rule.yml | 1 +
|
||||
.../file_groupownership_home_directories/rule.yml | 1 +
|
||||
shared/references/cce-redhat-avail.txt | 3 ---
|
||||
4 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||||
index 8547893201..1bd1f5742e 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel6: 27225-2
|
||||
cce@rhel7: 80211-6
|
||||
+ cce@rhel8: 83444-0
|
||||
cce@ocp4: 82667-7
|
||||
|
||||
references:
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||||
index bedf3a0b19..e69bc9d736 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
||||
@@ -21,6 +21,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: 80529-1
|
||||
+ cce@rhel8: 83424-2
|
||||
|
||||
references:
|
||||
stigid@ol7: "020620"
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
index 1c5ac8d099..f931f6d160 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
@@ -20,6 +20,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: 80532-5
|
||||
+ cce@rhel8: 83434-1
|
||||
|
||||
references:
|
||||
stigid@ol7: "020650"
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 2f0d2a526b..45d03a2c1d 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -95,7 +95,6 @@ CCE-83411-9
|
||||
CCE-83421-8
|
||||
CCE-83422-6
|
||||
CCE-83423-4
|
||||
-CCE-83424-2
|
||||
CCE-83425-9
|
||||
CCE-83426-7
|
||||
CCE-83427-5
|
||||
@@ -105,7 +104,6 @@ CCE-83430-9
|
||||
CCE-83431-7
|
||||
CCE-83432-5
|
||||
CCE-83433-3
|
||||
-CCE-83434-1
|
||||
CCE-83435-8
|
||||
CCE-83436-6
|
||||
CCE-83437-4
|
||||
@@ -115,7 +113,6 @@ CCE-83440-8
|
||||
CCE-83441-6
|
||||
CCE-83442-4
|
||||
CCE-83443-2
|
||||
-CCE-83444-0
|
||||
CCE-83445-7
|
||||
CCE-83446-5
|
||||
CCE-83447-3
|
@ -1,103 +0,0 @@
|
||||
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 May 2020 13:30:24 +0200
|
||||
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
|
||||
|
||||
---
|
||||
.../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
||||
index e9a29a24d5..6fbb7c72a5 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
||||
@@ -3,13 +3,9 @@
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
-- name: Test for existence of /etc/securetty
|
||||
- stat:
|
||||
- path: /etc/securetty
|
||||
- register: securetty_empty
|
||||
+
|
||||
|
||||
- name: "Direct root Logins Not Allowed"
|
||||
copy:
|
||||
dest: /etc/securetty
|
||||
content: ""
|
||||
- when: securetty_empty.stat.size > 1
|
||||
|
||||
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 May 2020 14:21:38 +0200
|
||||
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
|
||||
|
||||
---
|
||||
shared/templates/template_ANSIBLE_sebool | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
|
||||
index 29f37081be..38d7c7c350 100644
|
||||
--- a/shared/templates/template_ANSIBLE_sebool
|
||||
+++ b/shared/templates/template_ANSIBLE_sebool
|
||||
@@ -13,11 +13,17 @@
|
||||
{{% else %}}
|
||||
- (xccdf-var var_{{{ SEBOOLID }}})
|
||||
|
||||
+{{% if product == "rhel8" %}}
|
||||
+- name: Ensure python3-libsemanage installed
|
||||
+ package:
|
||||
+ name: python3-libsemanage
|
||||
+ state: present
|
||||
+{{% else %}}
|
||||
- name: Ensure libsemanage-python installed
|
||||
package:
|
||||
name: libsemanage-python
|
||||
state: present
|
||||
-
|
||||
+{{% endif %}}
|
||||
- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
|
||||
seboolean:
|
||||
name: {{{ SEBOOLID }}}
|
||||
|
||||
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 May 2020 14:57:05 +0200
|
||||
Subject: [PATCH 3/3] add tests for no_direct_root_logins
|
||||
|
||||
---
|
||||
.../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
|
||||
.../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
|
||||
.../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
|
||||
3 files changed, 9 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..17251f6a98
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo > /etc/securetty
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c764814b26
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+rm -f /etc/securetty
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..43ac341e87
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo "something" > /etc/securetty
|
@ -1,308 +0,0 @@
|
||||
From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 26 May 2020 17:49:21 +0200
|
||||
Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
|
||||
|
||||
Affected rules:
|
||||
- selinux_policytype
|
||||
- selinux_state
|
||||
---
|
||||
.../selinux/selinux_policytype/ansible/shared.yml | 9 ++-------
|
||||
.../selinux/selinux_policytype/bash/shared.sh | 5 +++--
|
||||
.../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++
|
||||
.../selinux/selinux_state/ansible/shared.yml | 9 ++-------
|
||||
.../system/selinux/selinux_state/bash/shared.sh | 5 +++--
|
||||
.../selinux_state/tests/selinux_missing.fail.sh | 5 +++++
|
||||
.../tests/selinux_permissive.fail.sh | 10 ++++++++++
|
||||
shared/macros-ansible.jinja | 11 +++++++++++
|
||||
shared/macros-bash.jinja | 15 +++++++++++++++
|
||||
9 files changed, 61 insertions(+), 18 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
index 5c70cc9f7f..9f8cf66dfb 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
@@ -3,11 +3,6 @@
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
- (xccdf-var var_selinux_policy_name)
|
||||
|
||||
-- name: "{{{ rule_title }}}"
|
||||
- lineinfile:
|
||||
- path: /etc/sysconfig/selinux
|
||||
- regexp: '^SELINUXTYPE='
|
||||
- line: "SELINUXTYPE={{ var_selinux_policy_name }}"
|
||||
- create: yes
|
||||
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
index d0fbbf4446..2b5ce31b12 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
@@ -1,7 +1,8 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
-#
|
||||
+
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
populate var_selinux_policy_name
|
||||
|
||||
-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
|
||||
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..1a6eb94953
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+SELINUX_FILE='/etc/selinux/config'
|
||||
+
|
||||
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
|
||||
+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
|
||||
+else
|
||||
+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
|
||||
index b465ac6729..1c1560a86c 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
|
||||
@@ -3,11 +3,6 @@
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
- (xccdf-var var_selinux_state)
|
||||
|
||||
-- name: "{{{ rule_title }}}"
|
||||
- lineinfile:
|
||||
- path: /etc/sysconfig/selinux
|
||||
- regexp: '^SELINUX='
|
||||
- line: "SELINUX={{ var_selinux_state }}"
|
||||
- create: yes
|
||||
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
index 58193b5504..a402a861d7 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
@@ -1,10 +1,11 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
|
||||
-#
|
||||
+
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
populate var_selinux_state
|
||||
|
||||
-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
|
||||
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
|
||||
|
||||
fixfiles onboot
|
||||
fixfiles -f relabel
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..180dd80791
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+SELINUX_FILE='/etc/selinux/config'
|
||||
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..3db1e56b5f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+SELINUX_FILE='/etc/selinux/config'
|
||||
+
|
||||
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
|
||||
+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
|
||||
+else
|
||||
+ echo 'SELINUX=permissive' >> $SELINUX_FILE
|
||||
+fi
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 6798a25d1f..01d3155b37 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
|
||||
{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
+{{#
|
||||
+ High level macro to set a parameter in /etc/selinux/config.
|
||||
+ Parameters:
|
||||
+ - msg: the name for the Ansible task
|
||||
+ - parameter: parameter to be set in the configuration file
|
||||
+ - value: value of the parameter
|
||||
+#}}
|
||||
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
|
||||
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
{{#
|
||||
Generates an Ansible task that puts 'contents' into a file at 'filepath'
|
||||
Parameters:
|
||||
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||
index 3a94fe5dd8..2531d1c52d 100644
|
||||
--- a/shared/macros-bash.jinja
|
||||
+++ b/shared/macros-bash.jinja
|
||||
@@ -86,6 +86,21 @@ populate {{{ name }}}
|
||||
}}}
|
||||
{{%- endmacro -%}}
|
||||
|
||||
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
|
||||
+{{{ set_config_file(
|
||||
+ path="/etc/selinux/config",
|
||||
+ parameter=parameter,
|
||||
+ value=value,
|
||||
+ create=true,
|
||||
+ insert_after="",
|
||||
+ insert_before="",
|
||||
+ insensitive=true,
|
||||
+ separator="=",
|
||||
+ separator_regex="\s*=\s*",
|
||||
+ prefix_regex="^\s*")
|
||||
+ }}}
|
||||
+{{%- endmacro -%}}
|
||||
+
|
||||
{{#
|
||||
# Install a package
|
||||
# Uses the right command based on pkg_manger proprerty defined in product.yaml.
|
||||
|
||||
From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Wed, 27 May 2020 18:48:57 +0200
|
||||
Subject: [PATCH 2/2] Remediation requires reboot.
|
||||
|
||||
Update OVAL check to disallow spaces.
|
||||
Removed selinuxtype_minimum test scenario since breaks the system.
|
||||
---
|
||||
.../selinux/selinux_policytype/ansible/shared.yml | 2 +-
|
||||
.../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++
|
||||
.../system/selinux/selinux_policytype/oval/shared.xml | 2 +-
|
||||
.../tests/selinuxtype_minimum.fail.sh | 10 ----------
|
||||
.../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++
|
||||
.../guide/system/selinux/selinux_state/oval/shared.xml | 2 +-
|
||||
shared/macros-ansible.jinja | 2 +-
|
||||
shared/macros-bash.jinja | 4 ++--
|
||||
8 files changed, 14 insertions(+), 16 deletions(-)
|
||||
delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
index 9f8cf66dfb..73e6ec7cd4 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
|
||||
@@ -1,5 +1,5 @@
|
||||
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
-# reboot = false
|
||||
+# reboot = true
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
index 2b5ce31b12..b4f79c97f9 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
|
||||
@@ -1,4 +1,8 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# reboot = true
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
|
||||
index f1840a1290..3d69fff07f 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
|
||||
@@ -27,7 +27,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_selinux_policy" version="1">
|
||||
<ind:filepath>/etc/selinux/config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
deleted file mode 100644
|
||||
index 1a6eb94953..0000000000
|
||||
--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,10 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
|
||||
-
|
||||
-SELINUX_FILE='/etc/selinux/config'
|
||||
-
|
||||
-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
|
||||
- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
|
||||
-else
|
||||
- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
|
||||
-fi
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
index a402a861d7..645a7acab4 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
|
||||
@@ -1,4 +1,8 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
|
||||
+# reboot = true
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
|
||||
index c0881696e1..8c328060af 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
|
||||
@@ -18,7 +18,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
|
||||
<ind:filepath>/etc/selinux/config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 01d3155b37..580a0b948e 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
|
||||
- value: value of the parameter
|
||||
#}}
|
||||
{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
|
||||
-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
|
||||
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
{{#
|
||||
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||
index 2531d1c52d..8abcc914d3 100644
|
||||
--- a/shared/macros-bash.jinja
|
||||
+++ b/shared/macros-bash.jinja
|
||||
@@ -96,8 +96,8 @@ populate {{{ name }}}
|
||||
insert_before="",
|
||||
insensitive=true,
|
||||
separator="=",
|
||||
- separator_regex="\s*=\s*",
|
||||
- prefix_regex="^\s*")
|
||||
+ separator_regex="=",
|
||||
+ prefix_regex="^")
|
||||
}}}
|
||||
{{%- endmacro -%}}
|
||||
|
@ -1,29 +0,0 @@
|
||||
From c7d49a79cffdbfb2e1231077f665cbb940b50a98 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Mon, 13 Jul 2020 17:52:35 +0200
|
||||
Subject: [PATCH] Fix SCAPVAL error SRC-15
|
||||
|
||||
The CPE `cpe:/a:grub2` is used in `xccdf-1.2:platform` element
|
||||
in group `bootloader-grub2`, but this CPE isn't defined in the
|
||||
RHEL 6 CPE dictionary. All used CPEs should be defined in the
|
||||
dictionary.
|
||||
---
|
||||
rhel6/cpe/rhel6-cpe-dictionary.xml | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
|
||||
index bca8986f7a..1b696b88d3 100644
|
||||
--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
|
||||
+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
|
||||
@@ -47,6 +47,11 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:grub2">
|
||||
+ <title xml:lang="en-us">Package grub2 is installed</title>
|
||||
+ <!-- the check references an OVAL file that contains an inventory definition -->
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
|
||||
+ </cpe-item>
|
||||
<cpe-item name="cpe:/a:libuser">
|
||||
<title xml:lang="en-us">Package libuser is installed</title>
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
@ -1,250 +0,0 @@
|
||||
From d1b9040748605416220e09feb56fc5a6b6402f1e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 7 Jul 2020 16:37:30 +0200
|
||||
Subject: [PATCH] Add zipl to CPE dictionaries in all Linux products
|
||||
|
||||
The CPE platform `cpe:/a:zipl` has been set as a platform for XCCDF
|
||||
group `bootloader-zipl` but the definition of the CPE was missing from
|
||||
the CPE dictionary in some datastreams, for example fedora datastream.
|
||||
This triggered error SRC-15 in NIST scapval tool.
|
||||
---
|
||||
debian10/cpe/debian10-cpe-dictionary.xml | 4 ++++
|
||||
debian8/cpe/debian8-cpe-dictionary.xml | 4 ++++
|
||||
debian9/cpe/debian9-cpe-dictionary.xml | 4 ++++
|
||||
fedora/cpe/fedora-cpe-dictionary.xml | 4 ++++
|
||||
ol7/cpe/ol7-cpe-dictionary.xml | 4 ++++
|
||||
ol8/cpe/ol8-cpe-dictionary.xml | 4 ++++
|
||||
opensuse/cpe/opensuse-cpe-dictionary.xml | 4 ++++
|
||||
rhel6/cpe/rhel6-cpe-dictionary.xml | 4 ++++
|
||||
rhel7/cpe/rhel7-cpe-dictionary.xml | 4 ++++
|
||||
rhv4/cpe/rhv4-cpe-dictionary.xml | 4 ++++
|
||||
sle11/cpe/sle11-cpe-dictionary.xml | 4 ++++
|
||||
sle12/cpe/sle12-cpe-dictionary.xml | 4 ++++
|
||||
ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 4 ++++
|
||||
ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 4 ++++
|
||||
ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 4 ++++
|
||||
wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 4 ++++
|
||||
wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 4 ++++
|
||||
19 files changed, 76 insertions(+)
|
||||
|
||||
diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
|
||||
index f2dbd09cfc..ddb68c34bd 100644
|
||||
--- a/debian10/cpe/debian10-cpe-dictionary.xml
|
||||
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
|
||||
@@ -72,4 +72,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
|
||||
index f385709052..24bbca69cd 100644
|
||||
--- a/debian8/cpe/debian8-cpe-dictionary.xml
|
||||
+++ b/debian8/cpe/debian8-cpe-dictionary.xml
|
||||
@@ -72,4 +72,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
|
||||
index bc90a12bae..d5595fd594 100644
|
||||
--- a/debian9/cpe/debian9-cpe-dictionary.xml
|
||||
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
|
||||
@@ -72,4 +72,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
|
||||
index ff7cebc322..bef1337fc9 100644
|
||||
--- a/fedora/cpe/fedora-cpe-dictionary.xml
|
||||
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
|
||||
@@ -107,4 +107,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
|
||||
index 613f853a6d..5d4691aaf6 100644
|
||||
--- a/ol7/cpe/ol7-cpe-dictionary.xml
|
||||
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
|
||||
@@ -72,4 +72,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
|
||||
index 912fe01346..35167b1f70 100644
|
||||
--- a/ol8/cpe/ol8-cpe-dictionary.xml
|
||||
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
|
||||
@@ -67,4 +67,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
|
||||
index 7f485b800e..6b95e46d3f 100644
|
||||
--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
|
||||
+++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
|
||||
@@ -87,4 +87,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
|
||||
index 2c8a82ebc5..bca8986f7a 100644
|
||||
--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
|
||||
+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
|
||||
@@ -87,4 +87,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
||||
index f232b7ed29..bc2aa869e8 100644
|
||||
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
|
||||
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
||||
@@ -102,4 +102,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
|
||||
index db1b4b239b..02450d6efc 100644
|
||||
--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
|
||||
+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
|
||||
@@ -72,4 +72,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
|
||||
index 1b6b3e2518..b7cb4e1fd5 100644
|
||||
--- a/sle11/cpe/sle11-cpe-dictionary.xml
|
||||
+++ b/sle11/cpe/sle11-cpe-dictionary.xml
|
||||
@@ -77,4 +77,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
|
||||
index b1b66e1294..73cddd7740 100644
|
||||
--- a/sle12/cpe/sle12-cpe-dictionary.xml
|
||||
+++ b/sle12/cpe/sle12-cpe-dictionary.xml
|
||||
@@ -77,4 +77,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
|
||||
index 7f3ce4271b..3f5447741b 100644
|
||||
--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
|
||||
+++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
|
||||
@@ -72,4 +72,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
|
||||
index 83f0c8c516..e3e842842b 100644
|
||||
--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
|
||||
+++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
|
||||
@@ -72,4 +72,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
|
||||
index 77b78d74ec..897673c6f5 100644
|
||||
--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
|
||||
+++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
|
||||
@@ -72,4 +72,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
||||
index cc4e806a4d..ef7e803505 100644
|
||||
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
||||
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
||||
@@ -71,4 +71,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
||||
diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
|
||||
index 824c575a6a..7184ebfd0b 100644
|
||||
--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
|
||||
+++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
|
||||
@@ -71,4 +71,8 @@
|
||||
<!-- the check references an OVAL file that contains an inventory definition -->
|
||||
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
||||
</cpe-item>
|
||||
+ <cpe-item name="cpe:/a:zipl">
|
||||
+ <title xml:lang="en-us">System uses zipl</title>
|
||||
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
||||
+ </cpe-item>
|
||||
</cpe-list>
|
@ -1,40 +0,0 @@
|
||||
From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 23:36:18 +0200
|
||||
Subject: [PATCH] Ansible mount_option: split mount and option task
|
||||
|
||||
Separate task that adds mount options mounts the mountpoint into two tasks.
|
||||
Conditioning the "mount" task on the absence of the target mount option
|
||||
caused the task to always be skipped when mount option was alredy present,
|
||||
and could result in the mount point not being mounted.
|
||||
---
|
||||
shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
|
||||
index 95bede25f9..a0cf8d6b7a 100644
|
||||
--- a/shared/templates/template_ANSIBLE_mount_option
|
||||
+++ b/shared/templates/template_ANSIBLE_mount_option
|
||||
@@ -26,14 +26,19 @@
|
||||
- device_name.stdout is defined and device_name.stdout_lines is defined
|
||||
- (device_name.stdout | length > 0)
|
||||
|
||||
-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
|
||||
+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
|
||||
+ set_fact:
|
||||
+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
|
||||
+ when:
|
||||
+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
|
||||
+
|
||||
+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
|
||||
mount:
|
||||
path: "{{{ MOUNTPOINT }}}"
|
||||
src: "{{ mount_info.source }}"
|
||||
- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
|
||||
+ opts: "{{ mount_info.options }}"
|
||||
state: "mounted"
|
||||
fstype: "{{ mount_info.fstype }}"
|
||||
when:
|
||||
- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
|
||||
- device_name.stdout is defined
|
||||
- (device_name.stdout | length > 0)
|
@ -1,33 +0,0 @@
|
||||
From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 14 May 2020 16:46:07 +0200
|
||||
Subject: [PATCH] reorder groups because of permissions verification
|
||||
|
||||
---
|
||||
ssg/build_yaml.py | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
|
||||
index e3e138283c..c9f3179c08 100644
|
||||
--- a/ssg/build_yaml.py
|
||||
+++ b/ssg/build_yaml.py
|
||||
@@ -700,6 +700,11 @@ def to_xml_element(self):
|
||||
# audit_rules_privileged_commands, othervise the rule
|
||||
# does not catch newly installed screeen binary during remediation
|
||||
# and report fail
|
||||
+ # the software group should come before the
|
||||
+ # bootloader-grub2 group because of conflict between
|
||||
+ # rules rpm_verify_permissions and file_permissions_grub2_cfg
|
||||
+ # specific rules concerning permissions should
|
||||
+ # be applied after the general rpm_verify_permissions
|
||||
# The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
|
||||
# the firewalld_activation must come before ruleset_modifications, othervise
|
||||
# remediations for ruleset_modifications won't work
|
||||
@@ -707,6 +712,7 @@ def to_xml_element(self):
|
||||
# otherwise the remediation prints error although it is successful
|
||||
priority_order = [
|
||||
"accounts", "auditing",
|
||||
+ "software", "bootloader-grub2",
|
||||
"fips", "crypto",
|
||||
"firewalld_activation", "ruleset_modifications",
|
||||
"disabling_ipv6", "configuring_ipv6"
|
@ -1,171 +0,0 @@
|
||||
From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 14 May 2020 01:20:53 +0200
|
||||
Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
|
||||
|
||||
All paths in /etc/rsyslog.conf were taken as log files, but paths
|
||||
in lines containing "include" or "$IncludeConfig" are config files.
|
||||
|
||||
Let's not take them in as log files
|
||||
---
|
||||
.../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
index a78cd69df2..c74f3da3f5 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
@@ -87,8 +87,18 @@
|
||||
-->
|
||||
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_ignore_include_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
||||
+ include() or $IncludeConfig statements.
|
||||
+ These paths are conf files, not log files. Their permissions don't need to be as
|
||||
+ required for log files, thus, lets exclude them from the list of objects found
|
||||
+ -->
|
||||
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Define OVAL variable to hold all the various system log files locations
|
||||
retrieved from the different rsyslog configuration files
|
||||
-->
|
||||
|
||||
From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 14 May 2020 00:16:37 +0200
|
||||
Subject: [PATCH 2/4] Fix permissions of files referenced by include()
|
||||
|
||||
The remediation script also needs to parse the files included via
|
||||
"include()".
|
||||
The awk also takes into consideration the multiline aspect.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 6cbf0c6a24..dca35301e7 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
# Browse each file selected above as containing paths of log files
|
||||
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||
-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
|
||||
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
|
||||
do
|
||||
# From each of these files extract just particular log file path(s), thus:
|
||||
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||
|
||||
From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 15:53:58 +0200
|
||||
Subject: [PATCH 3/4] Make regex for include file more strict
|
||||
|
||||
For some reason gensub in awk doesn't support non capturing group.
|
||||
So the group with OR is capturing and we substitute everyting with the
|
||||
second group, witch matches the file path.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index dca35301e7..99d2d0e794 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 15 May 2020 16:55:02 +0200
|
||||
Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
|
||||
|
||||
These three files basically work the same way
|
||||
---
|
||||
.../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
|
||||
.../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
|
||||
.../rsyslog_files_permissions/oval/shared.xml | 4 ++--
|
||||
3 files changed, 22 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
||||
index 5828f25321..9941e2b94f 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
||||
@@ -86,8 +86,18 @@
|
||||
-->
|
||||
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
||||
+ include() or $IncludeConfig statements.
|
||||
+ These paths are conf files, not log files. Their groupownership don't need to be as
|
||||
+ required for log files, thus, lets exclude them from the list of objects found
|
||||
+ -->
|
||||
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Define OVAL variable to hold all the various system log files locations
|
||||
retrieved from the different rsyslog configuration files
|
||||
-->
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
||||
index 3c46eab6d6..29dd1a989e 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
||||
@@ -83,8 +83,18 @@
|
||||
-->
|
||||
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_owner_ignore_include_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
||||
+ include() or $IncludeConfig statements.
|
||||
+ These paths are conf files, not log files. Their owner don't need to be as
|
||||
+ required for log files, thus, lets exclude them from the list of objects found
|
||||
+ -->
|
||||
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Define OVAL variable to hold all the various system log files locations
|
||||
retrieved from the different rsyslog configuration files
|
||||
-->
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
index c74f3da3f5..da37a15b8c 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
@@ -87,10 +87,10 @@
|
||||
-->
|
||||
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
- <filter action="exclude">state_ignore_include_paths</filter>
|
||||
+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
|
||||
+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
|
||||
<!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
||||
include() or $IncludeConfig statements.
|
||||
These paths are conf files, not log files. Their permissions don't need to be as
|
@ -1,23 +0,0 @@
|
||||
From 602e57d4c643be443110bbc772e6e5546b1a3cd3 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri, 26 Jun 2020 16:56:52 +0200
|
||||
Subject: [PATCH] Update RHEL7 documentation link for
|
||||
grub2_uefi_admin_username.
|
||||
|
||||
---
|
||||
.../system/bootloader-grub2/grub2_uefi_admin_username/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
|
||||
index 1926837db7..0c69e59553 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
|
||||
@@ -28,7 +28,7 @@ rationale: |-
|
||||
For more information on how to configure the grub2 superuser account and password,
|
||||
please refer to
|
||||
<ul>
|
||||
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
|
||||
+ <li>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-working_with_the_grub_2_boot_loader#sec-Protecting_GRUB_2_with_a_Password") }}}</li>.
|
||||
</ul>
|
||||
{{% endif %}}
|
||||
|
@ -1,375 +0,0 @@
|
||||
From 62bf1be5a2f2789196a9b81ca7cd246d148dfb5b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Jun 2020 10:54:51 +0200
|
||||
Subject: [PATCH 1/3] no_shelllogin_for_systemaccounts: add tests
|
||||
|
||||
---
|
||||
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 4 ++++
|
||||
.../tests/no_sys_uids.pass.sh | 7 +++++++
|
||||
.../tests/only_system_users.pass.sh | 6 ++++++
|
||||
.../tests/system_user_with_shell.fail.sh | 6 ++++++
|
||||
4 files changed, 23 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6d48ad78fd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+# remediation = none
|
||||
+
|
||||
+#!/bin/bash
|
||||
+true
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..bc4f9cee8c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# remediation = none
|
||||
+
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Force unset of SYS_UID values
|
||||
+sed -i '/^SYS_UID_MIN/d' /etc/login.defs
|
||||
+sed -i '/^SYS_UID_MAX/d' /etc/login.defs
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..0cdb820bbb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# remediation = none
|
||||
+
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove any non-system user
|
||||
+sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7639a8809d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# remediation = none
|
||||
+
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# change system user "mail" shell to bash
|
||||
+usermod --shell /bin/bash mail
|
||||
|
||||
From 403cf63228a838bb80e09d8a6750bc5ee8597ce4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Jun 2020 11:27:48 +0200
|
||||
Subject: [PATCH 2/3] no_shelllogin_for_systemaccounts: simplify check for
|
||||
range of UIDs
|
||||
|
||||
There is no need to make calculations on top of the UIDs, we can compare
|
||||
the collected UIDs with shell againt the states that define the valid range.
|
||||
|
||||
Avoiding the calculations has the added benefit of not using/referencing
|
||||
a variable that can be empty (when no user has shell, except root).
|
||||
---
|
||||
.../oval/shared.xml | 198 +++---------------
|
||||
1 file changed, 33 insertions(+), 165 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
|
||||
index 7e68441867..d0e836515b 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
|
||||
@@ -79,13 +79,6 @@
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
- <!-- Extract UIDs from /etc/passwd entries into OVAL variable -->
|
||||
- <local_variable id="variable_sys_uids_etc_passwd" datatype="int"
|
||||
- comment="UIDs retrieved from /etc/passwd" version="1">
|
||||
- <object_component item_field="subexpression"
|
||||
- object_ref="object_etc_passwd_entries" />
|
||||
- </local_variable>
|
||||
-
|
||||
<!-- FIRST CRITERION -->
|
||||
<!-- If both SYS_UID_MIN and SYS_UID_MAX aren't defined in /etc/login.defs
|
||||
perform the check that all /etc/passwd entries having shell defined have
|
||||
@@ -100,63 +93,23 @@
|
||||
</regex_capture>
|
||||
</local_variable>
|
||||
|
||||
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
|
||||
- https://github.com/OpenSCAP/openscap/issues/428
|
||||
-
|
||||
- Within the test below we will check if all /etc/passwd entries
|
||||
- having shell defined have UIDs outside of <0, UID_MIN - 1> range.
|
||||
- If at least one UID is within the range, test will fail.
|
||||
-
|
||||
- Observation: Number "x" is outside of <a, b> range if the following
|
||||
- inequality is met (x - a) * (x - b) > 0
|
||||
- -->
|
||||
-
|
||||
- <!-- OVAL variable to hold (x - 0) * (x - (UID_MIN -1)) range -->
|
||||
- <local_variable id="variable_default_range_quad_expr" datatype="int"
|
||||
- comment="Construct (x - 0) * (x - (UID_MIN - 1)) expression"
|
||||
- version="1">
|
||||
- <!-- Construct the final multiplication -->
|
||||
- <arithmetic arithmetic_operation="multiply">
|
||||
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
|
||||
- <!-- (x - 0) = x => use just "x" value -->
|
||||
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
||||
- <!-- Get (x - (UID_MIN -1)) result -->
|
||||
- <arithmetic arithmetic_operation="add">
|
||||
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
||||
- <!-- Get -1 * (UID_MIN - 1) result -->
|
||||
- <arithmetic arithmetic_operation="multiply">
|
||||
- <literal_component datatype="int">-1</literal_component>
|
||||
- <!-- Get (UID_MIN -1) result -->
|
||||
- <arithmetic arithmetic_operation="add">
|
||||
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
|
||||
- <variable_component var_ref="variable_uid_min_value" />
|
||||
- <literal_component datatype="int">-1</literal_component>
|
||||
- </arithmetic>
|
||||
- </arithmetic>
|
||||
- </arithmetic>
|
||||
- </arithmetic>
|
||||
- </local_variable>
|
||||
-
|
||||
- <!-- Foreach previously collected UID store the expression into
|
||||
- corresponding OVAL object -->
|
||||
- <ind:variable_object id="object_shell_defined_default_uid_range" version="1">
|
||||
- <ind:var_ref>variable_default_range_quad_expr</ind:var_ref>
|
||||
- </ind:variable_object>
|
||||
-
|
||||
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
|
||||
- <ind:variable_state id="state_shell_defined_default_uid_range" version="1">
|
||||
- <ind:value datatype="int" operation="greater than">0</ind:value>
|
||||
- </ind:variable_state>
|
||||
-
|
||||
<!-- Perform the default <0, UID_MIN - 1> UID range test itself -->
|
||||
<!-- Thus check that all /etc/passwd entries having shell defined
|
||||
have UID outside of <0, UID_MIN -1> range -->
|
||||
- <ind:variable_test id="test_shell_defined_default_uid_range" check="all"
|
||||
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_default_uid_range" check="all"
|
||||
check_existence="all_exist" comment="<0, UID_MIN - 1> system UIDs having shell set"
|
||||
version="1">
|
||||
- <ind:object object_ref="object_shell_defined_default_uid_range" />
|
||||
- <ind:state state_ref="state_shell_defined_default_uid_range" />
|
||||
- </ind:variable_test>
|
||||
+ <ind:object object_ref="object_etc_passwd_entries" />
|
||||
+ <ind:state state_ref="state_uid_less_than_zero" />
|
||||
+ <ind:state state_ref="state_uid_greater_than_or_equal_uid_min" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_state id="state_uid_less_than_zero" version="1">
|
||||
+ <ind:subexpression datatype="int" operation="less than">0</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_uid_min" version="1">
|
||||
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_uid_min_value" />
|
||||
+ </ind:textfilecontent54_state>
|
||||
|
||||
<!-- Test if SYS_UID_MIN not defined in /etc/login.defs -->
|
||||
<ind:textfilecontent54_test id="test_sys_uid_min_not_defined"
|
||||
@@ -200,121 +153,36 @@
|
||||
</regex_capture>
|
||||
</local_variable>
|
||||
|
||||
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
|
||||
- https://github.com/OpenSCAP/openscap/issues/428
|
||||
-
|
||||
- Within the test below we will check if all /etc/passwd entries
|
||||
- having shell defined have UIDs outside of <0, SYS_UID_MIN> range.
|
||||
- If at least one UID is within the range, test will fail.
|
||||
-
|
||||
- Observation: Number "x" is outside of <a, b> range if the following
|
||||
- inequality is met (x - a) * (x - b) > 0
|
||||
- -->
|
||||
-
|
||||
- <!-- OVAL variable to hold UIDs for reserved system accounts, thus
|
||||
- UIDs from the range <0, SYS_UID_MIN> -->
|
||||
- <local_variable id="variable_reserved_range_quad_expr" datatype="int"
|
||||
- comment="Construct (x - 0) * (x - SYS_UID_MIN) expression"
|
||||
- version="1">
|
||||
- <!-- Construct the final multiplication -->
|
||||
- <arithmetic arithmetic_operation="multiply">
|
||||
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
|
||||
- <!-- (x - 0) = x => use just "x" value -->
|
||||
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
||||
- <!-- Construct (x - SYS_UID_MIN) expression -->
|
||||
- <arithmetic arithmetic_operation="add">
|
||||
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
|
||||
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
||||
- <!-- Get negative value of SYS_UID_MIN -->
|
||||
- <arithmetic arithmetic_operation="multiply">
|
||||
- <literal_component datatype="int">-1</literal_component>
|
||||
- <variable_component var_ref="variable_sys_uid_min_value" />
|
||||
- </arithmetic>
|
||||
- </arithmetic>
|
||||
- </arithmetic>
|
||||
- </local_variable>
|
||||
-
|
||||
- <!-- Foreach previously collected UID store the expression into
|
||||
- corresponding OVAL object -->
|
||||
- <ind:variable_object id="object_shell_defined_reserved_uid_range" version="1">
|
||||
- <ind:var_ref>variable_reserved_range_quad_expr</ind:var_ref>
|
||||
- </ind:variable_object>
|
||||
-
|
||||
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
|
||||
- <ind:variable_state id="state_shell_defined_reserved_uid_range" version="1">
|
||||
- <ind:value datatype="int" operation="greater than">0</ind:value>
|
||||
- </ind:variable_state>
|
||||
-
|
||||
<!-- Perform the reserved UID range <0, SYS_UID_MIN> test itself -->
|
||||
<!-- Thus check that all /etc/passwd entries having shell defined
|
||||
have UID outside of <0, SYS_UID_MIN> range -->
|
||||
- <ind:variable_test id="test_shell_defined_reserved_uid_range" check="all"
|
||||
- check_existence="all_exist" comment="<0, SYS_UID_MIN> system UIDs having shell set"
|
||||
- version="1">
|
||||
- <ind:object object_ref="object_shell_defined_reserved_uid_range" />
|
||||
- <ind:state state_ref="state_shell_defined_reserved_uid_range" />
|
||||
- </ind:variable_test>
|
||||
-
|
||||
- <!-- OVAL entities below are workaround for the OpenSCAP bug:
|
||||
- https://github.com/OpenSCAP/openscap/issues/428
|
||||
-
|
||||
- Within the test below we will check if all /etc/passwd entries
|
||||
- having shell defined have UIDs outside of <SYS_UID_MIN, SYS_UID_MAX> range.
|
||||
- If at least one UID is within the range, test will fail.
|
||||
-
|
||||
- Observation: Number "x" is outside of <a, b> range if the following
|
||||
- inequality is met (x - a) * (x - b) > 0
|
||||
- -->
|
||||
-
|
||||
- <!-- OVAL variable to hold UIDs for dynamically allocated system accounts,
|
||||
- thus UIDs from the range <SYS_UID_MIN, SYS_UID_MAX> -->
|
||||
- <local_variable id="variable_dynalloc_range_quad_expr" datatype="int"
|
||||
- comment="Construct (x - SYS_UID_MIN) * (x - SYS_UID_MAX) expression"
|
||||
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_reserved_uid_range" check="all"
|
||||
+ check_existence="any_exist" comment="<0, SYS_UID_MIN> system UIDs having shell set"
|
||||
version="1">
|
||||
- <!-- Construct the final multiplication -->
|
||||
- <arithmetic arithmetic_operation="multiply">
|
||||
- <!-- Construct (x - SYS_UID_MIN) expression -->
|
||||
- <arithmetic arithmetic_operation="add">
|
||||
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
|
||||
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
||||
- <!-- Get negative value of SYS_UID_MIN -->
|
||||
- <arithmetic arithmetic_operation="multiply">
|
||||
- <literal_component datatype="int">-1</literal_component>
|
||||
- <variable_component var_ref="variable_sys_uid_min_value" />
|
||||
- </arithmetic>
|
||||
- </arithmetic>
|
||||
- <!-- Construct (x - SYS_UID_MAX) expression -->
|
||||
- <arithmetic arithmetic_operation="add">
|
||||
- <!-- Get "x", thus retrieved /etc/passwd UIDs as int -->
|
||||
- <variable_component var_ref="variable_sys_uids_etc_passwd" />
|
||||
- <!-- Get negative value of SYS_UID_MAX -->
|
||||
- <arithmetic arithmetic_operation="multiply">
|
||||
- <literal_component datatype="int">-1</literal_component>
|
||||
- <variable_component var_ref="variable_sys_uid_max_value" />
|
||||
- </arithmetic>
|
||||
- </arithmetic>
|
||||
- </arithmetic>
|
||||
- </local_variable>
|
||||
-
|
||||
- <!-- Foreach previously collected UID store the expression into
|
||||
- corresponding OVAL object -->
|
||||
- <ind:variable_object id="object_shell_defined_dynalloc_uid_range" version="1">
|
||||
- <ind:var_ref>variable_dynalloc_range_quad_expr</ind:var_ref>
|
||||
- </ind:variable_object>
|
||||
+ <ind:object object_ref="object_etc_passwd_entries" />
|
||||
+ <ind:state state_ref="state_uid_less_than_zero" />
|
||||
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_min" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
|
||||
- <!-- Finally verify that (x - a) * (x - b) > 0 -->
|
||||
- <ind:variable_state id="state_shell_defined_dynalloc_uid_range" version="1">
|
||||
- <ind:value datatype="int" operation="greater than">0</ind:value>
|
||||
- </ind:variable_state>
|
||||
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_min" version="1">
|
||||
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_min_value" />
|
||||
+ </ind:textfilecontent54_state>
|
||||
|
||||
<!-- Perform the dynamically allocated UID range <SYS_UID_MIN, SYS_UID_MAX> test itself -->
|
||||
<!-- Thus check that all /etc/passwd entries having shell defined
|
||||
have UID outside of <SYS_UID_MIN, SYS_UID_MAX> range -->
|
||||
- <ind:variable_test id="test_shell_defined_dynalloc_uid_range" check="all"
|
||||
- check_existence="all_exist" comment="<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set"
|
||||
+ <ind:textfilecontent54_test state_operator="OR" id="test_shell_defined_dynalloc_uid_range" check="all"
|
||||
+ check_existence="any_exist" comment="<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set"
|
||||
version="1">
|
||||
- <ind:object object_ref="object_shell_defined_dynalloc_uid_range" />
|
||||
- <ind:state state_ref="state_shell_defined_dynalloc_uid_range" />
|
||||
- </ind:variable_test>
|
||||
+ <ind:object object_ref="object_etc_passwd_entries" />
|
||||
+ <ind:state state_ref="state_uid_less_than_sys_uid_min" />
|
||||
+ <ind:state state_ref="state_uid_greater_than_or_equal_sys_uid_max" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_uid_less_than_sys_uid_min" version="1">
|
||||
+ <ind:subexpression datatype="int" operation="less than" var_ref="variable_sys_uid_min_value" />
|
||||
+ </ind:textfilecontent54_state>
|
||||
+ <ind:textfilecontent54_state id="state_uid_greater_than_or_equal_sys_uid_max" version="1">
|
||||
+ <ind:subexpression datatype="int" operation="greater than or equal" var_ref="variable_sys_uid_max_value" />
|
||||
+ </ind:textfilecontent54_state>
|
||||
</def-group>
|
||||
|
||||
From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 4 Jun 2020 14:04:37 +0200
|
||||
Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs
|
||||
|
||||
---
|
||||
.../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +-
|
||||
.../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +--
|
||||
.../tests/only_system_users.pass.sh | 3 +--
|
||||
.../tests/system_user_with_shell.fail.sh | 3 +--
|
||||
4 files changed, 4 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
||||
index 6d48ad78fd..833831f79d 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
+#!/bin/bash
|
||||
# remediation = none
|
||||
|
||||
-#!/bin/bash
|
||||
true
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
||||
index bc4f9cee8c..6769895eb2 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh
|
||||
@@ -1,6 +1,5 @@
|
||||
-# remediation = none
|
||||
-
|
||||
#!/bin/bash
|
||||
+# remediation = none
|
||||
|
||||
# Force unset of SYS_UID values
|
||||
sed -i '/^SYS_UID_MIN/d' /etc/login.defs
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
||||
index 0cdb820bbb..06edf671ce 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh
|
||||
@@ -1,6 +1,5 @@
|
||||
-# remediation = none
|
||||
-
|
||||
#!/bin/bash
|
||||
+# remediation = none
|
||||
|
||||
# remove any non-system user
|
||||
sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
||||
index 7639a8809d..10312593b8 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh
|
||||
@@ -1,6 +1,5 @@
|
||||
-# remediation = none
|
||||
-
|
||||
#!/bin/bash
|
||||
+# remediation = none
|
||||
|
||||
# change system user "mail" shell to bash
|
||||
usermod --shell /bin/bash mail
|
@ -1,163 +0,0 @@
|
||||
From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 25 Jun 2020 09:53:38 +0200
|
||||
Subject: [PATCH 1/3] fixed description, oval, ansible, bash
|
||||
|
||||
---
|
||||
.../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
|
||||
.../configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
|
||||
.../configure_openssl_crypto_policy/oval/shared.xml | 2 +-
|
||||
.../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++-----
|
||||
4 files changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
index e6318f221c..98fe134aca 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
@@ -15,7 +15,7 @@
|
||||
lineinfile:
|
||||
create: yes
|
||||
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
|
||||
- line: ".include /etc/crypto-policies/back-ends/openssl.config"
|
||||
+ line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||
path: /etc/pki/tls/openssl.cnf
|
||||
when:
|
||||
- test_crypto_policy_group.stdout is defined
|
||||
@@ -24,7 +24,7 @@
|
||||
- name: "Add crypto_policy group and set include openssl.config"
|
||||
lineinfile:
|
||||
create: yes
|
||||
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config"
|
||||
+ line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||
path: /etc/pki/tls/openssl.cnf
|
||||
when:
|
||||
- test_crypto_policy_group.stdout is defined
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||
index 0b3cbf3b46..a0b30cce96 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
|
||||
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
|
||||
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config'
|
||||
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$'
|
||||
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
|
||||
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
|
||||
|
||||
function remediate_openssl_crypto_policy() {
|
||||
CONFIG_FILE="/etc/pki/tls/openssl.cnf"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
|
||||
index a9b3f7b6e9..2019769736 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
|
||||
@@ -20,7 +20,7 @@
|
||||
<ind:textfilecontent54_object id="object_configure_openssl_crypto_policy"
|
||||
version="1">
|
||||
<ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
||||
index 8c015bb3b2..1a66570a8c 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
||||
@@ -11,7 +11,7 @@ description: |-
|
||||
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
|
||||
available under <tt>/etc/pki/tls/openssl.cnf</tt>.
|
||||
This file has the <tt>ini</tt> format, and it enables crypto policy support
|
||||
- if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/openssl.config</tt> directive.
|
||||
+ if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/opensslcnf.config</tt> directive.
|
||||
|
||||
rationale: |-
|
||||
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
|
||||
@@ -29,11 +29,11 @@ references:
|
||||
|
||||
ocil_clause: |-
|
||||
the OpenSSL config file doesn't contain the whole section,
|
||||
- or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive
|
||||
+ or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive
|
||||
|
||||
ocil: |-
|
||||
- To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file
|
||||
+ To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
|
||||
<pre>/etc/pki/tls/openssl.cnf</pre> contains the <pre>[ crypto_policy ]</pre> section with the
|
||||
- <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive:
|
||||
- <pre>grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf</pre>.
|
||||
+ <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive:
|
||||
+ <pre>grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf</pre>.
|
||||
|
||||
|
||||
From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 25 Jun 2020 09:54:09 +0200
|
||||
Subject: [PATCH 2/3] updated tests
|
||||
|
||||
---
|
||||
.../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +-
|
||||
.../tests/wrong.fail.sh | 10 ++++++++++
|
||||
2 files changed, 11 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
|
||||
index 5b8334735e..c56916883e 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
|
||||
@@ -6,5 +6,5 @@
|
||||
|
||||
create_config_file_with "[ crypto_policy ]
|
||||
|
||||
-.include /etc/crypto-policies/back-ends/openssl.config
|
||||
+.include /etc/crypto-policies/back-ends/opensslcnf.config
|
||||
"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..5b8334735e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
|
||||
+
|
||||
+. common.sh
|
||||
+
|
||||
+create_config_file_with "[ crypto_policy ]
|
||||
+
|
||||
+.include /etc/crypto-policies/back-ends/openssl.config
|
||||
+"
|
||||
|
||||
From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 25 Jun 2020 17:32:00 +0200
|
||||
Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config
|
||||
file.
|
||||
|
||||
---
|
||||
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
index 98fe134aca..986543c10f 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
@@ -11,7 +11,7 @@
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
-- name: "Add .include for openssl.config to crypto_policy section"
|
||||
+- name: "Add .include for opensslcnf.config to crypto_policy section"
|
||||
lineinfile:
|
||||
create: yes
|
||||
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
|
||||
@@ -21,7 +21,7 @@
|
||||
- test_crypto_policy_group.stdout is defined
|
||||
- test_crypto_policy_group.stdout | length > 0
|
||||
|
||||
-- name: "Add crypto_policy group and set include openssl.config"
|
||||
+- name: "Add crypto_policy group and set include opensslcnf.config"
|
||||
lineinfile:
|
||||
create: yes
|
||||
line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
|
@ -1,383 +0,0 @@
|
||||
From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Tue, 19 May 2020 15:49:34 +0200
|
||||
Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.
|
||||
|
||||
Introduce the rekey_limit_size and rekey_limit_time XCCDF values
|
||||
to make the rule more flexible.
|
||||
---
|
||||
.../sshd_rekey_limit/bash/shared.sh | 9 ++++
|
||||
.../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++
|
||||
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +-----
|
||||
.../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++
|
||||
.../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++
|
||||
.../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++
|
||||
.../sshd_rekey_limit/tests/ok.pass.sh | 4 ++
|
||||
.../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++
|
||||
.../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++
|
||||
rhel8/profiles/ospp.profile | 2 +
|
||||
10 files changed, 99 insertions(+), 10 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..2620c2d49e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Include source function library.
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+populate var_rekey_limit_size
|
||||
+populate var_rekey_limit_time
|
||||
+
|
||||
+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..57aa090948
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
@@ -0,0 +1,43 @@
|
||||
+{{% set filepath = "/etc/ssh/sshd_config" %}}
|
||||
+{{% set parameter = "RekeyLimit" %}}
|
||||
+
|
||||
+
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ <metadata>
|
||||
+ <title>{{{ rule_title }}}</title>
|
||||
+ {{{- oval_affected(products) }}}
|
||||
+ <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
|
||||
+ </metadata>
|
||||
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
|
||||
+ {{{- application_not_required_or_requirement_unset() }}}
|
||||
+ {{{- application_required_or_requirement_unset() }}}
|
||||
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
|
||||
+ <ind:object object_ref="obj_sshd_rekey_limit"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
|
||||
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
|
||||
+ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
||||
+ <concat>
|
||||
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
|
||||
+ <variable_component var_ref="var_rekey_limit_size"/>
|
||||
+ <literal_component>[\s]+</literal_component>
|
||||
+ <variable_component var_ref="var_rekey_limit_time"/>
|
||||
+ <literal_component>[\s]*$</literal_component>
|
||||
+ </concat>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
|
||||
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
|
||||
+</def-group>
|
||||
+
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||||
index e11678faa0..4936a381f5 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||||
@@ -7,7 +7,7 @@ description: |-
|
||||
the session key of the is renegotiated, both in terms of
|
||||
amount of data that may be transmitted and the time
|
||||
elapsed. To decrease the default limits, put line
|
||||
- <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
|
||||
+ <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
|
||||
|
||||
rationale: |-
|
||||
By decreasing the limit based on the amount of data and enabling
|
||||
@@ -30,12 +30,4 @@ ocil: |-
|
||||
following command:
|
||||
<pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
|
||||
If configured properly, output should be
|
||||
- <pre>RekeyLimit 512M 1h</pre>
|
||||
-
|
||||
-template:
|
||||
- name: sshd_lineinfile
|
||||
- vars:
|
||||
- missing_parameter_pass: 'false'
|
||||
- parameter: RekeyLimit
|
||||
- rule_id: sshd_rekey_limit
|
||||
- value: 512M 1h
|
||||
+ <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..2ac0bbf350
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fec859fe05
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a6cd10163f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a6a2ba7adf
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
|
||||
new file mode 100644
|
||||
index 0000000000..16dc376508
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
|
||||
@@ -0,0 +1,14 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'SSH RekeyLimit - size'
|
||||
+
|
||||
+description: 'Specify the size component of the rekey limit.'
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+options:
|
||||
+ sshd_default: "default"
|
||||
+ default: "512M"
|
||||
+ "512M": "512M"
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
|
||||
new file mode 100644
|
||||
index 0000000000..8801fbbf6f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
|
||||
@@ -0,0 +1,14 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'SSH RekeyLimit - size'
|
||||
+
|
||||
+description: 'Specify the size component of the rekey limit.'
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+options:
|
||||
+ sshd_default: "none"
|
||||
+ default: "1h"
|
||||
+ "1hour": "1h"
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index c672066050..a5223a187f 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -58,6 +58,8 @@ selections:
|
||||
- sshd_set_keepalive
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_rekey_limit
|
||||
+ - var_rekey_limit_size=512M
|
||||
+ - var_rekey_limit_time=1hour
|
||||
- sshd_use_strong_rng
|
||||
- openssl_use_strong_entropy
|
||||
|
||||
|
||||
From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Tue, 19 May 2020 17:57:12 +0200
|
||||
Subject: [PATCH 2/5] Updated stable profile definitions.
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
|
||||
tests/data/profile_stability/rhel8/stig.profile | 3 ++-
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 23039c82b4..bdda39a903 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -214,6 +214,8 @@ selections:
|
||||
- timer_dnf-automatic_enabled
|
||||
- usbguard_allow_hid_and_hub
|
||||
- var_sshd_set_keepalive=0
|
||||
+- var_rekey_limit_size=512M
|
||||
+- var_rekey_limit_time=1hour
|
||||
- var_accounts_user_umask=027
|
||||
- var_password_pam_difok=4
|
||||
- var_password_pam_maxrepeat=3
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index cd31b73700..ebef541921 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
|
||||
|
||||
- Red Hat Containers with a Red Hat Enterprise Linux 8 image'
|
||||
documentation_complete: true
|
||||
-extends: ospp
|
||||
selections:
|
||||
- account_disable_post_pw_expiration
|
||||
- account_temp_expire_date
|
||||
@@ -243,6 +242,8 @@ selections:
|
||||
- timer_dnf-automatic_enabled
|
||||
- usbguard_allow_hid_and_hub
|
||||
- var_sshd_set_keepalive=0
|
||||
+- var_rekey_limit_size=512M
|
||||
+- var_rekey_limit_time=1hour
|
||||
- var_accounts_user_umask=027
|
||||
- var_password_pam_difok=4
|
||||
- var_password_pam_maxrepeat=3
|
||||
|
||||
From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Fri, 22 May 2020 11:43:36 +0200
|
||||
Subject: [PATCH 3/5] Improved how variables are handled in remediations.
|
||||
|
||||
---
|
||||
shared/macros-ansible.jinja | 14 ++++++++++++++
|
||||
shared/macros-bash.jinja | 15 +++++++++++++++
|
||||
2 files changed, 29 insertions(+)
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 56a3f5f3ec..6798a25d1f 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -1,3 +1,17 @@
|
||||
+{{#
|
||||
+Pass strings that correspond to XCCDF value names as arguments to this macro:
|
||||
+ansible_instantiate_variables("varname1", "varname2")
|
||||
+
|
||||
+Then, assume that the task that follows can work with the variable by referencing it, e.g.
|
||||
+value: "Setting={{ varname1 }}"
|
||||
+
|
||||
+#}}
|
||||
+{{%- macro ansible_instantiate_variables() -%}}
|
||||
+{{%- for name in varargs -%}}
|
||||
+- (xccdf-var {{{ name }}})
|
||||
+{{% endfor -%}}
|
||||
+{{%- endmacro -%}}
|
||||
+
|
||||
{{#
|
||||
A wrapper over the Ansible lineinfile module. This handles the most common
|
||||
options for us. regex is optional and when blank, it won't be included in
|
||||
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||
index 01b9e62e7b..3a94fe5dd8 100644
|
||||
--- a/shared/macros-bash.jinja
|
||||
+++ b/shared/macros-bash.jinja
|
||||
@@ -1,5 +1,20 @@
|
||||
{{# ##### High level macros ##### #}}
|
||||
|
||||
+{{#
|
||||
+Pass strings that correspond to XCCDF value names as arguments to this macro:
|
||||
+bash_instantiate_variables("varname1", "varname2")
|
||||
+
|
||||
+Then, assume that variables of that names are defined and contain the correct value, e.g.
|
||||
+echo "Setting=$varname1" >> config_file
|
||||
+
|
||||
+#}}
|
||||
+{{%- macro bash_instantiate_variables() -%}}
|
||||
+{{%- for name in varargs -%}}
|
||||
+populate {{{ name }}}
|
||||
+{{# this line is intentionally left blank #}}
|
||||
+{{% endfor -%}}
|
||||
+{{%- endmacro -%}}
|
||||
+
|
||||
{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
|
||||
{{% if no_quotes -%}}
|
||||
{{% if "$" in value %}}
|
||||
|
||||
From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Fri, 22 May 2020 11:44:08 +0200
|
||||
Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.
|
||||
|
||||
---
|
||||
.../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++
|
||||
.../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +--
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..43a2d4521f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
||||
@@ -0,0 +1,8 @@
|
||||
+# platform = multi_platform_all [0/453]
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
|
||||
+
|
||||
+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||||
index 2620c2d49e..0277f31392 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||||
@@ -3,7 +3,6 @@
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
|
||||
-populate var_rekey_limit_size
|
||||
-populate var_rekey_limit_time
|
||||
+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
|
||||
|
||||
{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
|
||||
|
||||
From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Fri, 22 May 2020 11:49:04 +0200
|
||||
Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.
|
||||
|
||||
---
|
||||
.../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
index 57aa090948..47796e5332 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
@@ -1,5 +1,4 @@
|
||||
-{{% set filepath = "/etc/ssh/sshd_config" %}}
|
||||
-{{% set parameter = "RekeyLimit" %}}
|
||||
+{{% set filepath = "/etc/ssh/sshd_config" -%}}
|
||||
|
||||
|
||||
<def-group>
|
||||
@@ -7,7 +6,7 @@
|
||||
<metadata>
|
||||
<title>{{{ rule_title }}}</title>
|
||||
{{{- oval_affected(products) }}}
|
||||
- <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
|
||||
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
|
||||
</metadata>
|
||||
<criteria comment="sshd is configured correctly or is not installed" operator="OR">
|
||||
{{{- application_not_required_or_requirement_unset() }}}
|
@ -1,102 +0,0 @@
|
||||
From 279b1d8b585d3521d4910ec8aa69583f9b7031ac Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 25 May 2020 10:51:24 +0200
|
||||
Subject: [PATCH 1/3] change rekey limit to 1G 1h in rhel8 ospp
|
||||
|
||||
---
|
||||
.../guide/services/ssh/ssh_server/var_rekey_limit_size.var | 1 +
|
||||
rhel8/profiles/ospp.profile | 2 +-
|
||||
rhel8/profiles/stig.profile | 3 +++
|
||||
3 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
|
||||
index 16dc376508..395a087a68 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
|
||||
@@ -12,3 +12,4 @@ options:
|
||||
sshd_default: "default"
|
||||
default: "512M"
|
||||
"512M": "512M"
|
||||
+ "1G": "1G"
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index a5223a187f..0dca8350f9 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -58,7 +58,7 @@ selections:
|
||||
- sshd_set_keepalive
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_rekey_limit
|
||||
- - var_rekey_limit_size=512M
|
||||
+ - var_rekey_limit_size=1G
|
||||
- var_rekey_limit_time=1hour
|
||||
- sshd_use_strong_rng
|
||||
- openssl_use_strong_entropy
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 2bb81cf9dc..a156857647 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -44,3 +44,6 @@ selections:
|
||||
- package_rsyslog-gnutls_installed
|
||||
- rsyslog_remote_tls
|
||||
- rsyslog_remote_tls_cacert
|
||||
+ - sshd_rekey_limit
|
||||
+ - var_rekey_limit_size=512M
|
||||
+ - var_rekey_limit_time=1hour
|
||||
|
||||
From d8ce7bb5f47665e40b6ec2c47e565bb7c46164a9 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 25 May 2020 10:51:54 +0200
|
||||
Subject: [PATCH 2/3] update stable ospp profile
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index bdda39a903..25f7922bf3 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -214,7 +214,7 @@ selections:
|
||||
- timer_dnf-automatic_enabled
|
||||
- usbguard_allow_hid_and_hub
|
||||
- var_sshd_set_keepalive=0
|
||||
-- var_rekey_limit_size=512M
|
||||
+- var_rekey_limit_size=1G
|
||||
- var_rekey_limit_time=1hour
|
||||
- var_accounts_user_umask=027
|
||||
- var_password_pam_difok=4
|
||||
|
||||
From 6623ece14b6534164a3b953fd43111cae4a3eeea Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 28 May 2020 09:30:58 +0200
|
||||
Subject: [PATCH 3/3] propagate change also into stig profile
|
||||
|
||||
---
|
||||
rhel8/profiles/stig.profile | 3 ---
|
||||
tests/data/profile_stability/rhel8/stig.profile | 2 +-
|
||||
2 files changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index a156857647..2bb81cf9dc 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -44,6 +44,3 @@ selections:
|
||||
- package_rsyslog-gnutls_installed
|
||||
- rsyslog_remote_tls
|
||||
- rsyslog_remote_tls_cacert
|
||||
- - sshd_rekey_limit
|
||||
- - var_rekey_limit_size=512M
|
||||
- - var_rekey_limit_time=1hour
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index ebef541921..6c4270925f 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -242,7 +242,7 @@ selections:
|
||||
- timer_dnf-automatic_enabled
|
||||
- usbguard_allow_hid_and_hub
|
||||
- var_sshd_set_keepalive=0
|
||||
-- var_rekey_limit_size=512M
|
||||
+- var_rekey_limit_size=1G
|
||||
- var_rekey_limit_time=1hour
|
||||
- var_accounts_user_umask=027
|
||||
- var_password_pam_difok=4
|
@ -1,798 +0,0 @@
|
||||
From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 27 May 2020 14:34:50 +0200
|
||||
Subject: [PATCH 01/11] add rule, variables, check, remediations
|
||||
|
||||
---
|
||||
.../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++
|
||||
.../ssh_client_rekey_limit/bash/shared.sh | 8 ++++
|
||||
.../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++
|
||||
.../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++
|
||||
.../var_ssh_client_rekey_limit_size.var | 15 +++++++
|
||||
.../var_ssh_client_rekey_limit_time.var | 14 +++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
7 files changed, 118 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..6d2bcbbd44
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
@@ -0,0 +1,8 @@
|
||||
+# platform = multi_platform_all [0/453]
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
|
||||
+
|
||||
+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..43d0971ffc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Include source function library.
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
|
||||
+
|
||||
+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..2412763e3f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
||||
@@ -0,0 +1,39 @@
|
||||
+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
|
||||
+
|
||||
+
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ <metadata>
|
||||
+ <title>{{{ rule_title }}}</title>
|
||||
+ {{{- oval_affected(products) }}}
|
||||
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
|
||||
+ </metadata>
|
||||
+ <criteria comment="RekeyLimit is correctly configured for ssh client">
|
||||
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
|
||||
+ <ind:object object_ref="obj_ssh_client_rekey_limit"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
|
||||
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
|
||||
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
||||
+ <concat>
|
||||
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
|
||||
+ <variable_component var_ref="var_ssh_client_rekey_limit_size"/>
|
||||
+ <literal_component>[\s]+</literal_component>
|
||||
+ <variable_component var_ref="var_ssh_client_rekey_limit_time"/>
|
||||
+ <literal_component>[\s]*$</literal_component>
|
||||
+ </concat>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
|
||||
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
|
||||
+</def-group>
|
||||
+
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..a1b85b0ee5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
@@ -0,0 +1,34 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Configure session renegotiation for SSH client'
|
||||
+
|
||||
+description: |-
|
||||
+ The <tt>RekeyLimit</tt> parameter specifies how often
|
||||
+ the session key is renegotiated, both in terms of
|
||||
+ amount of data that may be transmitted and the time
|
||||
+ elapsed. To decrease the default limits, put line
|
||||
+ <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ By decreasing the limit based on the amount of data and enabling
|
||||
+ time-based limit, effects of potential attacks against
|
||||
+ encryption keys are limited.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: 82880-6
|
||||
+
|
||||
+references:
|
||||
+ ospp: FCS_SSHS_EXT.1
|
||||
+
|
||||
+ocil_clause: 'it is commented out or is not set'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To check if RekeyLimit is set correctly, run the
|
||||
+ following command:
|
||||
+ <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
|
||||
+ If configured properly, output should be
|
||||
+ <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
new file mode 100644
|
||||
index 0000000000..bcf051fd97
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
@@ -0,0 +1,15 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'SSH client RekeyLimit - size'
|
||||
+
|
||||
+description: 'Specify the size component of the rekey limit.'
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+options:
|
||||
+ ssh_client_default: "default"
|
||||
+ default: "512M"
|
||||
+ "512M": "512M"
|
||||
+ "1G": "1G"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
new file mode 100644
|
||||
index 0000000000..31c76f9ab5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
@@ -0,0 +1,14 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'SSH client RekeyLimit - size'
|
||||
+
|
||||
+description: 'Specify the size component of the rekey limit.'
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+options:
|
||||
+ ssh_client_default: "none"
|
||||
+ default: "1h"
|
||||
+ "1hour": "1h"
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 45d03a2c1d..e060d2fb1c 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -1,4 +1,3 @@
|
||||
-CCE-82880-6
|
||||
CCE-82882-2
|
||||
CCE-82883-0
|
||||
CCE-82888-9
|
||||
|
||||
From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 27 May 2020 14:35:24 +0200
|
||||
Subject: [PATCH 02/11] add tests
|
||||
|
||||
---
|
||||
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++
|
||||
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++
|
||||
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++
|
||||
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++
|
||||
4 files changed, 15 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..2ac0bbf350
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fec859fe05
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a6cd10163f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a6a2ba7adf
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
|
||||
|
||||
From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 27 May 2020 14:35:43 +0200
|
||||
Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles
|
||||
|
||||
---
|
||||
rhel8/profiles/ospp.profile | 5 +++++
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 3 +++
|
||||
tests/data/profile_stability/rhel8/stig.profile | 3 +++
|
||||
3 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index 0dca8350f9..07d32b814d 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -410,3 +410,8 @@ selections:
|
||||
|
||||
# Prevent Kerberos use by system daemons
|
||||
- kerberos_disable_no_keytab
|
||||
+
|
||||
+ # set ssh client rekey limit
|
||||
+ - ssh_client_rekey_limit
|
||||
+ - var_ssh_client_rekey_limit_size=1G
|
||||
+ - var_ssh_client_rekey_limit_time=1hour
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 25f7922bf3..b0d7672c36 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -240,4 +240,7 @@ selections:
|
||||
- grub2_vsyscall_argument.severity=info
|
||||
- sysctl_user_max_user_namespaces.role=unscored
|
||||
- sysctl_user_max_user_namespaces.severity=info
|
||||
+- ssh_client_rekey_limit
|
||||
+- var_ssh_client_rekey_limit_size=1G
|
||||
+- var_ssh_client_rekey_limit_time=1hour
|
||||
title: Protection Profile for General Purpose Operating Systems
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 6c4270925f..330ecc7e1e 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -269,4 +269,7 @@ selections:
|
||||
- grub2_vsyscall_argument.severity=info
|
||||
- sysctl_user_max_user_namespaces.role=unscored
|
||||
- sysctl_user_max_user_namespaces.severity=info
|
||||
+- ssh_client_rekey_limit
|
||||
+- var_ssh_client_rekey_limit_size=1G
|
||||
+- var_ssh_client_rekey_limit_time=1hour
|
||||
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
|
||||
|
||||
From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 28 May 2020 14:25:41 +0200
|
||||
Subject: [PATCH 04/11] improve description of variables
|
||||
|
||||
---
|
||||
.../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++--
|
||||
.../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++---
|
||||
2 files changed, 17 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
index bcf051fd97..4e20104cba 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
@@ -2,14 +2,20 @@ documentation_complete: true
|
||||
|
||||
title: 'SSH client RekeyLimit - size'
|
||||
|
||||
-description: 'Specify the size component of the rekey limit.'
|
||||
+description: |-
|
||||
+ Specify the size component of the rekey limit. This limit signifies amount
|
||||
+ of data. After this amount of data is transferred through the connection,
|
||||
+ the session key is renegotiated. The number is followed by K, M or G for
|
||||
+ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
|
||||
+ configured according to ellabsed time.
|
||||
+
|
||||
+interactive: true
|
||||
|
||||
type: string
|
||||
|
||||
operator: equals
|
||||
|
||||
options:
|
||||
- ssh_client_default: "default"
|
||||
default: "512M"
|
||||
"512M": "512M"
|
||||
"1G": "1G"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
index 31c76f9ab5..6143a5448c 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
@@ -1,14 +1,20 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'SSH client RekeyLimit - size'
|
||||
+title: 'SSH client RekeyLimit - time'
|
||||
|
||||
-description: 'Specify the size component of the rekey limit.'
|
||||
+description: |-
|
||||
+ Specify the time component of the rekey limit. This limit signifies amount
|
||||
+ of data. The session key is renegotiated after the defined amount of time
|
||||
+ passes. The number is followed by units such as H or M for hours or minutes.
|
||||
+ Note that the RekeyLimit can be also configured according to amount of
|
||||
+ transfered data.
|
||||
+
|
||||
+interactive: true
|
||||
|
||||
type: string
|
||||
|
||||
operator: equals
|
||||
|
||||
options:
|
||||
- ssh_client_default: "none"
|
||||
default: "1h"
|
||||
"1hour": "1h"
|
||||
|
||||
From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 28 May 2020 14:26:12 +0200
|
||||
Subject: [PATCH 05/11] fix tests and ansible
|
||||
|
||||
---
|
||||
.../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +-
|
||||
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++--
|
||||
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++--
|
||||
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +-
|
||||
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--
|
||||
5 files changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
index 6d2bcbbd44..bb6544a0a0 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_all [0/453]
|
||||
+# platform = multi_platform_all
|
||||
# reboot = false
|
||||
# strategy = configure
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
index 2ac0bbf350..22c465b08f 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
# platform = multi_platform_all
|
||||
|
||||
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
|
||||
+
|
||||
+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
index fec859fe05..0dc621b1da 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
# platform = multi_platform_all
|
||||
|
||||
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
|
||||
+
|
||||
+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
index a6cd10163f..f6abf711da 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
@@ -1,3 +1,3 @@
|
||||
# platform = multi_platform_all
|
||||
|
||||
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
index a6a2ba7adf..e64e4191bc 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
# platform = multi_platform_all
|
||||
|
||||
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||||
-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
|
||||
+
|
||||
+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
|
||||
From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 1 Jun 2020 14:29:47 +0200
|
||||
Subject: [PATCH 06/11] fix test to use default value, remove rule from stig
|
||||
|
||||
---
|
||||
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +-
|
||||
rhel8/profiles/stig.profile | 1 +
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 -
|
||||
3 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
index e64e4191bc..89d7069687 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
@@ -2,4 +2,4 @@
|
||||
|
||||
|
||||
rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 2bb81cf9dc..8f12852e26 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -44,3 +44,4 @@ selections:
|
||||
- package_rsyslog-gnutls_installed
|
||||
- rsyslog_remote_tls
|
||||
- rsyslog_remote_tls_cacert
|
||||
+ - "!ssh_client_rekey_limit"
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 330ecc7e1e..9b164eb5c2 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -269,7 +269,6 @@ selections:
|
||||
- grub2_vsyscall_argument.severity=info
|
||||
- sysctl_user_max_user_namespaces.role=unscored
|
||||
- sysctl_user_max_user_namespaces.severity=info
|
||||
-- ssh_client_rekey_limit
|
||||
- var_ssh_client_rekey_limit_size=1G
|
||||
- var_ssh_client_rekey_limit_time=1hour
|
||||
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
|
||||
|
||||
From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 3 Jun 2020 12:38:19 +0200
|
||||
Subject: [PATCH 07/11] rewrite oval to check for multiple locations
|
||||
|
||||
---
|
||||
.../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++-------
|
||||
1 file changed, 26 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
||||
index 2412763e3f..41fa0497ae 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
||||
@@ -1,28 +1,17 @@
|
||||
-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
|
||||
-
|
||||
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
<metadata>
|
||||
<title>{{{ rule_title }}}</title>
|
||||
{{{- oval_affected(products) }}}
|
||||
- <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
|
||||
+ <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
|
||||
</metadata>
|
||||
- <criteria comment="RekeyLimit is correctly configured for ssh client">
|
||||
- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
|
||||
+ <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
|
||||
+ <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
|
||||
+ <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
|
||||
- <ind:object object_ref="obj_ssh_client_rekey_limit"/>
|
||||
- </ind:textfilecontent54_test>
|
||||
-
|
||||
- <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
|
||||
- <ind:filepath>{{{ filepath }}}</ind:filepath>
|
||||
- <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
|
||||
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
- </ind:textfilecontent54_object>
|
||||
-
|
||||
<local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
||||
<concat>
|
||||
<literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
|
||||
@@ -35,5 +24,26 @@
|
||||
|
||||
<external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
|
||||
<external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
|
||||
-</def-group>
|
||||
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
|
||||
+ <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
|
||||
+ <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
|
||||
+ <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
|
||||
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
|
||||
From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 4 Jun 2020 08:24:54 +0200
|
||||
Subject: [PATCH 08/11] reqrite remediations
|
||||
|
||||
---
|
||||
.../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++
|
||||
.../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++
|
||||
2 files changed, 29 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
index bb6544a0a0..36de503806 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
||||
@@ -5,4 +5,20 @@
|
||||
# disruption = low
|
||||
{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
|
||||
|
||||
+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}
|
||||
+
|
||||
+- name: Collect all include config files for ssh client which configure RekeyLimit
|
||||
+ find:
|
||||
+ paths: "/etc/ssh/ssh_config.d/"
|
||||
+ contains: '^[\s]*RekeyLimit.*$'
|
||||
+ patterns: "*.config"
|
||||
+ register: ssh_config_include_files
|
||||
+
|
||||
+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client
|
||||
+ lineinfile:
|
||||
+ path: "{{ item }}"
|
||||
+ regexp: '^[\s]*RekeyLimit.*$'
|
||||
+ state: "absent"
|
||||
+ loop: "{{ ssh_config_include_files.files }}"
|
||||
+
|
||||
{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
||||
index 43d0971ffc..99f6f63c92 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
||||
@@ -5,4 +5,17 @@
|
||||
|
||||
{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
|
||||
|
||||
+main_config="/etc/ssh/ssh_config"
|
||||
+include_directory="/etc/ssh/ssh_config.d"
|
||||
+
|
||||
+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
|
||||
+ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
|
||||
+fi
|
||||
+
|
||||
+for file in "$include_directory"/*.conf; do
|
||||
+ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
|
||||
+ sed -i '/^[\s]*RekeyLimit.*/d' "$file"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
|
||||
|
||||
From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 4 Jun 2020 08:25:14 +0200
|
||||
Subject: [PATCH 09/11] add more tests
|
||||
|
||||
---
|
||||
.../tests/bad_main_config_good_include_config.fail.sh | 4 ++++
|
||||
.../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++
|
||||
.../tests/ok_different_config_file.pass.sh | 3 +++
|
||||
3 files changed, 11 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..90314712af
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/basdh
|
||||
+
|
||||
+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
|
||||
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..9ba20b0290
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+rm -rf /etc/ssh/ssh_config.d/*
|
||||
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..f725f6936f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf
|
||||
|
||||
From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 4 Jun 2020 08:25:29 +0200
|
||||
Subject: [PATCH 10/11] extend description and ocil
|
||||
|
||||
---
|
||||
.../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++-----
|
||||
1 file changed, 14 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
index a1b85b0ee5..76f5f84090 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
@@ -10,6 +10,12 @@ description: |-
|
||||
amount of data that may be transmitted and the time
|
||||
elapsed. To decrease the default limits, put line
|
||||
<tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
|
||||
+ Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
|
||||
+ the <tt>include</tt> directive in the main config file
|
||||
+ <tt>/etc/ssh/ssh_config</tt>. Check also other files in
|
||||
+ <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
|
||||
+ their names. Make sure that there is no file processed before
|
||||
+ <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
|
||||
|
||||
rationale: |-
|
||||
By decreasing the limit based on the amount of data and enabling
|
||||
@@ -27,8 +33,11 @@ references:
|
||||
ocil_clause: 'it is commented out or is not set'
|
||||
|
||||
ocil: |-
|
||||
- To check if RekeyLimit is set correctly, run the
|
||||
- following command:
|
||||
- <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
|
||||
- If configured properly, output should be
|
||||
- <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
|
||||
+ To check if RekeyLimit is set correctly, run the following command: <pre>$
|
||||
+ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> If configured
|
||||
+ properly, output should be <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
|
||||
+ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
|
||||
+ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
|
||||
+ main configuration file with the following command: <pre>sudo grep
|
||||
+ RekeyLimit /etc/ssh/ssh_config</pre> The command should not return any
|
||||
+ output.
|
||||
|
||||
From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 8 Jun 2020 11:44:44 +0200
|
||||
Subject: [PATCH 11/11] fix typos and wording
|
||||
|
||||
---
|
||||
.../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++--
|
||||
.../tests/bad_main_config_good_include_config.fail.sh | 2 +-
|
||||
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +
|
||||
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +
|
||||
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 +
|
||||
.../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 +
|
||||
.../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-
|
||||
.../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----
|
||||
8 files changed, 13 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
index 76f5f84090..b054d9d221 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
||||
@@ -14,8 +14,9 @@ description: |-
|
||||
the <tt>include</tt> directive in the main config file
|
||||
<tt>/etc/ssh/ssh_config</tt>. Check also other files in
|
||||
<tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
|
||||
- their names. Make sure that there is no file processed before
|
||||
- <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
|
||||
+ lexicographical order of file names. Make sure that there is no file
|
||||
+ processed before <tt>02-rekey-limit.conf</tt> containing definition of
|
||||
+ <tt>RekeyLimit</tt>.
|
||||
|
||||
rationale: |-
|
||||
By decreasing the limit based on the amount of data and enabling
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
||||
index 90314712af..58befb0107 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/bin/basdh
|
||||
+#!/bin/bash
|
||||
|
||||
echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
|
||||
echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
index 22c465b08f..1803c26629 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
||||
@@ -1,3 +1,4 @@
|
||||
+#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
index 0dc621b1da..2c9e839255 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
||||
@@ -1,3 +1,4 @@
|
||||
+#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
index f6abf711da..7de108eafd 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
||||
@@ -1,3 +1,4 @@
|
||||
+#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
index 89d7069687..4c047ed179 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
||||
@@ -1,3 +1,4 @@
|
||||
+#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
index 4e20104cba..c8dd8ef10e 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
||||
@@ -7,7 +7,7 @@ description: |-
|
||||
of data. After this amount of data is transferred through the connection,
|
||||
the session key is renegotiated. The number is followed by K, M or G for
|
||||
kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
|
||||
- configured according to ellabsed time.
|
||||
+ configured according to elapsed time.
|
||||
|
||||
interactive: true
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
index 6143a5448c..6223e8e38f 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
||||
@@ -3,11 +3,10 @@ documentation_complete: true
|
||||
title: 'SSH client RekeyLimit - time'
|
||||
|
||||
description: |-
|
||||
- Specify the time component of the rekey limit. This limit signifies amount
|
||||
- of data. The session key is renegotiated after the defined amount of time
|
||||
- passes. The number is followed by units such as H or M for hours or minutes.
|
||||
- Note that the RekeyLimit can be also configured according to amount of
|
||||
- transfered data.
|
||||
+ Specify the time component of the rekey limit. The session key is
|
||||
+ renegotiated after the defined amount of time passes. The number is followed
|
||||
+ by units such as H or M for hours or minutes. Note that the RekeyLimit can
|
||||
+ be also configured according to amount of transfered data.
|
||||
|
||||
interactive: true
|
||||
|
@ -1,65 +0,0 @@
|
||||
From 713bc3b17929d0c73b7898f42fe7935806a3bfff Mon Sep 17 00:00:00 2001
|
||||
From: Gabe <redhatrises@gmail.com>
|
||||
Date: Tue, 16 Jun 2020 16:04:10 -0600
|
||||
Subject: [PATCH] Remove grub documentation links from RHEL7 rationale
|
||||
|
||||
---
|
||||
.../system/bootloader-grub2/grub2_admin_username/rule.yml | 7 -------
|
||||
.../guide/system/bootloader-grub2/grub2_password/rule.yml | 7 -------
|
||||
.../system/bootloader-grub2/grub2_uefi_password/rule.yml | 7 -------
|
||||
3 files changed, 21 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
|
||||
index 2042a17806..63a6a7a83c 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
|
||||
@@ -24,13 +24,6 @@ description: |-
|
||||
|
||||
rationale: |-
|
||||
Having a non-default grub superuser username makes password-guessing attacks less effective.
|
||||
- {{% if product == "rhel7" %}}
|
||||
- For more information on how to configure the grub2 superuser account and password,
|
||||
- please refer to
|
||||
- <ul>
|
||||
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
|
||||
- </ul>
|
||||
- {{% endif %}}
|
||||
|
||||
severity: low
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
|
||||
index 00cec58c77..985b8727d7 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
|
||||
@@ -23,13 +23,6 @@ rationale: |-
|
||||
users with physical access cannot trivially alter
|
||||
important bootloader settings. These include which kernel to use,
|
||||
and whether to enter single-user mode.
|
||||
- {{% if product == "rhel7" %}}
|
||||
- For more information on how to configure the grub2 superuser account and password,
|
||||
- please refer to
|
||||
- <ul>
|
||||
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
|
||||
- </ul>
|
||||
- {{% endif %}}
|
||||
|
||||
severity: high
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
||||
index 954d6f21d0..3ce5a2df13 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
|
||||
@@ -23,13 +23,6 @@ rationale: |-
|
||||
users with physical access cannot trivially alter
|
||||
important bootloader settings. These include which kernel to use,
|
||||
and whether to enter single-user mode.
|
||||
- {{% if product == "rhel7" %}}
|
||||
- For more information on how to configure the grub2 superuser account and password,
|
||||
- please refer to
|
||||
- <ul>
|
||||
- <li>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}</li>.
|
||||
- </ul>
|
||||
- {{% endif %}}
|
||||
|
||||
severity: medium
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,88 +0,0 @@
|
||||
From d455dc468ef51dd595ce6184f1d31ebf4c20ab9c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 22 Jul 2020 09:52:50 +0200
|
||||
Subject: [PATCH] Add grub2 platform to grub2 kernel option rules
|
||||
|
||||
This will make sure these rules are applicable only when grub2
|
||||
(grub2-pc) is installed.
|
||||
---
|
||||
linux_os/guide/system/auditing/grub2_audit_argument/rule.yml | 2 ++
|
||||
.../system/auditing/grub2_audit_backlog_limit_argument/rule.yml | 2 +-
|
||||
.../system/permissions/mounting/grub2_nousb_argument/rule.yml | 2 ++
|
||||
.../guide/system/permissions/restrictions/poisoning/group.yml | 2 ++
|
||||
.../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +-
|
||||
.../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +-
|
||||
7 files changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
index 00cb7f9b6c..5f3a47a776 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||||
@@ -102,6 +102,8 @@ warnings:
|
||||
{{% endif %}}
|
||||
</ul>
|
||||
|
||||
+platform: grub2
|
||||
+
|
||||
template:
|
||||
name: grub2_bootloader_argument
|
||||
vars:
|
||||
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
index 6cab6f7bfe..aa95957b58 100644
|
||||
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||||
@@ -60,7 +60,7 @@ warnings:
|
||||
{{% endif %}}
|
||||
</ul>
|
||||
|
||||
-platform: machine
|
||||
+platform: grub2
|
||||
|
||||
template:
|
||||
name: grub2_bootloader_argument
|
||||
diff --git a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
|
||||
index a3c1f48231..407ba2c069 100644
|
||||
--- a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
|
||||
@@ -37,3 +37,5 @@ warnings:
|
||||
Disabling all kernel support for USB will cause problems for systems
|
||||
with USB-based keyboards, mice, or printers. This configuration is
|
||||
infeasible for systems which require USB devices, which is common.
|
||||
+
|
||||
+platform: grub2
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
|
||||
index 6a7a370f2b..030a3e9918 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
|
||||
@@ -6,3 +6,5 @@ description: |-
|
||||
Memory Poisoning consists of writing a special value to uninitialized or freed memory.
|
||||
Poisoning can be used as a mechanism to prevent leak of information and detection of
|
||||
corrupted memory.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
index e3047ef223..2d97ec75ea 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
@@ -60,7 +60,7 @@ warnings:
|
||||
{{% endif %}}
|
||||
</ul>
|
||||
|
||||
-platform: machine
|
||||
+platform: grub2
|
||||
|
||||
template:
|
||||
name: grub2_bootloader_argument
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
index 024c93f18b..39ca33b77a 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
@@ -60,7 +60,7 @@ warnings:
|
||||
{{% endif %}}
|
||||
</ul>
|
||||
|
||||
-platform: machine
|
||||
+platform: grub2
|
||||
|
||||
template:
|
||||
name: grub2_bootloader_argument
|
@ -1,954 +0,0 @@
|
||||
From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 1 Jul 2020 16:12:35 +0200
|
||||
Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template
|
||||
|
||||
Create initial version of zIPL specific BLS entries
|
||||
template by copying bls_entries_option template.
|
||||
---
|
||||
.../template_OVAL_zipl_bls_entries_option | 32 +++++++++++++++++++
|
||||
ssg/templates.py | 5 +++
|
||||
2 files changed, 37 insertions(+)
|
||||
create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
|
||||
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
new file mode 100644
|
||||
index 0000000000..a19bd5a89c
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
@@ -0,0 +1,32 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
|
||||
+ {{{- oval_affected(products) }}}
|
||||
+ <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
|
||||
+ </metadata>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
||||
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
||||
+ comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries"
|
||||
+ check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" />
|
||||
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
||||
+ version="1">
|
||||
+ <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
|
||||
+ version="1">
|
||||
+ <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+</def-group>
|
||||
diff --git a/ssg/templates.py b/ssg/templates.py
|
||||
index 2795267abd..fc09416abe 100644
|
||||
--- a/ssg/templates.py
|
||||
+++ b/ssg/templates.py
|
||||
@@ -340,6 +340,22 @@ def bls_entries_option(data, lang):
|
||||
return data
|
||||
|
||||
|
||||
+@template(["oval"])
|
||||
+def bls_entries_option(data, lang):
|
||||
+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
|
||||
+ if lang == "oval":
|
||||
+ # escape dot, this is used in oval regex
|
||||
+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
|
||||
+ # replace . with _, this is used in test / object / state ids
|
||||
+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
|
||||
+ return data
|
||||
+
|
||||
+
|
||||
+@template(["oval"])
|
||||
+def zipl_bls_entries_option(data, lang):
|
||||
+ return bls_entries_option(data, lang)
|
||||
+
|
||||
+
|
||||
class Builder(object):
|
||||
"""
|
||||
Class for building all templated content for a given product.
|
||||
|
||||
From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 14:11:04 +0200
|
||||
Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install
|
||||
|
||||
Extend zipl_bls_entries_option template to check that the kernel option
|
||||
is also configure in /etc/kernel/cmdline.
|
||||
The presence of the argument in /etc/kernel/cmdline ensures that newly
|
||||
installed kernels will be configure if the option.
|
||||
---
|
||||
.../template_OVAL_zipl_bls_entries_option | 19 +++++++++++++++++--
|
||||
1 file changed, 17 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
index a19bd5a89c..9af1bcfbee 100644
|
||||
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
@@ -6,8 +6,10 @@
|
||||
<description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
|
||||
</metadata>
|
||||
<criteria operator="AND">
|
||||
- <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
||||
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
|
||||
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
||||
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
|
||||
+ <criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
|
||||
+ comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
@@ -25,6 +27,19 @@
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_test id="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
|
||||
+ comment="Check for option {{{ ARG_NAME_VALUE }}} in /etc/kernel/cmdline"
|
||||
+ check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:object object_ref="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option" />
|
||||
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
|
||||
+ version="1">
|
||||
+ <ind:filepath>/etc/kernel/cmdline</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
<ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
|
||||
version="1">
|
||||
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
|
||||
|
||||
From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 14:12:32 +0200
|
||||
Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash
|
||||
|
||||
---
|
||||
.../template_ANSIBLE_zipl_bls_entries_option | 48 +++++++++++++++++++
|
||||
.../template_BASH_zipl_bls_entries_option | 12 +++++
|
||||
ssg/templates.py | 2 +-
|
||||
3 files changed, 61 insertions(+), 1 deletion(-)
|
||||
create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
||||
create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option
|
||||
|
||||
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
||||
new file mode 100644
|
||||
index 0000000000..c0cb131b82
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
||||
@@ -0,0 +1,48 @@
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# reboot = true
|
||||
+# strategy = configure
|
||||
+# complexity = medium
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
|
||||
+ block:
|
||||
+ - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
|
||||
+ find:
|
||||
+ paths: "/boot/loader/entries/"
|
||||
+ contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
|
||||
+ patterns: "*.conf"
|
||||
+ register: entries_options
|
||||
+
|
||||
+ - name: "Update boot entries options"
|
||||
+ command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
||||
+ when: entries_options is defined and entries_options.examined != entries_options.matched
|
||||
+ # The conditional above assumes that only *.conf files are present in /boot/loader/entries
|
||||
+ # Then, the number of conf files is the same as examined files
|
||||
+
|
||||
+ - name: "Check if /etc/kernel/cmdline exists"
|
||||
+ stat:
|
||||
+ path: /etc/kernel/cmdline
|
||||
+ register: cmdline_stat
|
||||
+
|
||||
+ - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
|
||||
+ find:
|
||||
+ paths: "/etc/kernel/"
|
||||
+ patterns: "cmdline"
|
||||
+ contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"
|
||||
+ register: cmdline_find
|
||||
+
|
||||
+ - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
|
||||
+ lineinfile:
|
||||
+ create: yes
|
||||
+ path: "/etc/kernel/cmdline"
|
||||
+ line: '{{{ ARG_NAME_VALUE }}}'
|
||||
+ when: cmdline_stat is defined and not cmdline_stat.stat.exists
|
||||
+
|
||||
+ - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
|
||||
+ lineinfile:
|
||||
+ path: "/etc/kernel/cmdline"
|
||||
+ backrefs: yes
|
||||
+ regexp: "^(.*)$"
|
||||
+ line: '\1 {{{ ARG_NAME_VALUE }}}'
|
||||
+ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0
|
||||
+
|
||||
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
|
||||
new file mode 100644
|
||||
index 0000000000..9fc8865486
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
|
||||
@@ -0,0 +1,12 @@
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
|
||||
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
||||
+
|
||||
+# Ensure new kernels and boot entries retain the boot option
|
||||
+if [ ! -f /etc/kernel/cmdline ]; then
|
||||
+ echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
|
||||
+elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
|
||||
+ echo " audit=1" >> /etc/kernel/cmdline
|
||||
+ sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
|
||||
+fi
|
||||
diff --git a/ssg/templates.py b/ssg/templates.py
|
||||
index fc09416abe..a27fbb6cb6 100644
|
||||
--- a/ssg/templates.py
|
||||
+++ b/ssg/templates.py
|
||||
@@ -340,7 +340,7 @@ def bls_entries_option(data, lang):
|
||||
return data
|
||||
|
||||
|
||||
-@template(["oval"])
|
||||
+@template(["ansible", "bash", "oval"])
|
||||
def zipl_bls_entries_option(data, lang):
|
||||
return bls_entries_option(data, lang)
|
||||
|
||||
|
||||
From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 3 Jul 2020 15:50:56 +0200
|
||||
Subject: [PATCH 04/18] Enable zIPL in argument rules
|
||||
|
||||
---
|
||||
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 6 ++++++
|
||||
.../zipl_audit_backlog_limit_argument/rule.yml | 6 ++++++
|
||||
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 6 ++++++
|
||||
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++
|
||||
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 6 ++++++
|
||||
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 6 ++++++
|
||||
6 files changed, 36 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
index 624b4e7041..894bf7995f 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -28,3 +28,9 @@ ocil: |-
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
||||
|
||||
platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: zipl_bls_entries_option
|
||||
+ vars:
|
||||
+ arg_name: audit
|
||||
+ arg_value: '1'
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index faf114591a..12334c9905 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -28,3 +28,9 @@ ocil: |-
|
||||
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
||||
|
||||
platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: zipl_bls_entries_option
|
||||
+ vars:
|
||||
+ arg_name: audit_backlog_limit
|
||||
+ arg_value: '8192'
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
index 866664c01b..f5a36ee1b3 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -28,3 +28,9 @@ ocil: |-
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
|
||||
|
||||
platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: zipl_bls_entries_option
|
||||
+ vars:
|
||||
+ arg_name: page_poison
|
||||
+ arg_value: '1'
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
index 2f02d9668c..168dae46a1 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
@@ -27,3 +27,9 @@ ocil: |-
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
||||
|
||||
platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: zipl_bls_entries_option
|
||||
+ vars:
|
||||
+ arg_name: pti
|
||||
+ arg_value: 'on'
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index 0cb10d3cd8..84a374e36f 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -28,3 +28,9 @@ ocil: |-
|
||||
No line should be returned, each line returned is a boot entry that does not enable poisoning.
|
||||
|
||||
platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: zipl_bls_entries_option
|
||||
+ vars:
|
||||
+ arg_name: slub_debug
|
||||
+ arg_value: 'P'
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index f79adeb083..c37e8bbefd 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -25,3 +25,9 @@ ocil: |-
|
||||
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
|
||||
|
||||
platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: zipl_bls_entries_option
|
||||
+ vars:
|
||||
+ arg_name: vsyscall
|
||||
+ arg_value: 'none'
|
||||
|
||||
From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Sat, 4 Jul 2020 01:15:49 +0200
|
||||
Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo
|
||||
|
||||
Fix typo
|
||||
---
|
||||
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 12334c9905..15729dc6b6 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured'
|
||||
ocil: |-
|
||||
To check that all boot entries extend the backlog limit;
|
||||
Check that all boot entries extend the log events queue:
|
||||
- <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
|
||||
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
||||
|
||||
platform: machine
|
||||
|
||||
From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 12:00:10 +0200
|
||||
Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description
|
||||
|
||||
Description about how to ensure that new boot entries continue compliant
|
||||
was incorrect due to copy-pasta mistake.
|
||||
---
|
||||
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index 84a374e36f..83e043179d 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -8,7 +8,7 @@ description: |-
|
||||
To enable poisoning of SLUB/SLAB objects,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
||||
included in its options.<br />
|
||||
- To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
+ To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
|
||||
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
rationale: |-
|
||||
|
||||
From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 12:06:56 +0200
|
||||
Subject: [PATCH 07/18] Add CCEs to zIPL argument rules
|
||||
|
||||
---
|
||||
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 3 +++
|
||||
.../zipl_audit_backlog_limit_argument/rule.yml | 3 +++
|
||||
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 3 +++
|
||||
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++
|
||||
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 3 +++
|
||||
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++
|
||||
7 files changed, 18 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
index 894bf7995f..b1307ef3f2 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -20,6 +20,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel8: 83321-0
|
||||
+
|
||||
ocil_clause: 'auditing is not enabled at boot time'
|
||||
|
||||
ocil: |-
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 15729dc6b6..18391bee6c 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -19,6 +19,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel8: 83341-8
|
||||
+
|
||||
ocil_clause: 'audit backlog limit is not configured'
|
||||
|
||||
ocil: |-
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
index f5a36ee1b3..7ffea8ce6a 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -20,6 +20,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel8: 83351-7
|
||||
+
|
||||
ocil_clause: 'page allocator poisoning is not enabled'
|
||||
|
||||
ocil: |-
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
index 168dae46a1..6fd1082292 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
@@ -19,6 +19,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel8: 83361-6
|
||||
+
|
||||
ocil_clause: 'Kernel page-table isolation is not enabled'
|
||||
|
||||
ocil: |-
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index 83e043179d..c499140c35 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -20,6 +20,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel8: 83371-5
|
||||
+
|
||||
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
||||
|
||||
ocil: |-
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index c37e8bbefd..7edd43074f 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -17,6 +17,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel8: 83381-4
|
||||
+
|
||||
ocil_clause: 'vsyscalls are enabled'
|
||||
|
||||
ocil: |-
|
||||
|
||||
From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 14:36:28 +0200
|
||||
Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile
|
||||
|
||||
These rules check and ensure configuration of BLS boot options used by
|
||||
zIPL.
|
||||
---
|
||||
rhel8/profiles/ospp.profile | 8 ++++++++
|
||||
rhel8/profiles/stig.profile | 6 ++++++
|
||||
2 files changed, 14 insertions(+)
|
||||
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index 80e4b71fff..d3732fa805 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -419,3 +419,11 @@ selections:
|
||||
# zIPl specific rules
|
||||
- zipl_bls_entries_only
|
||||
- zipl_bootmap_is_up_to_date
|
||||
+ - zipl_audit_argument
|
||||
+ - zipl_audit_backlog_limit_argument
|
||||
+ - zipl_slub_debug_argument
|
||||
+ - zipl_page_poison_argument
|
||||
+ - zipl_vsyscall_argument
|
||||
+ - zipl_vsyscall_argument.role=unscored
|
||||
+ - zipl_vsyscall_argument.severity=info
|
||||
+ - zipl_pti_argument
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index cfc2160be1..69d5222a32 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -49,3 +49,9 @@ selections:
|
||||
# Unselect zIPL rules from OSPP
|
||||
- "!zipl_bls_entries_only"
|
||||
- "!zipl_bootmap_is_up_to_date"
|
||||
+ - "!zipl_audit_argument"
|
||||
+ - "!zipl_audit_backlog_limit_argument"
|
||||
+ - "!zipl_page_poison_argument"
|
||||
+ - "!zipl_pti_argument"
|
||||
+ - "!zipl_slub_debug_argument"
|
||||
+ - "!zipl_vsyscall_argument"
|
||||
|
||||
From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 22:30:25 +0200
|
||||
Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements
|
||||
|
||||
Just like rule selection, allows rule refinements to be unselected, or "undone".
|
||||
---
|
||||
build-scripts/compile_profiles.py | 16 +++++++++++++++-
|
||||
1 file changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py
|
||||
index 0967252348..d1ce8984b2 100644
|
||||
--- a/build-scripts/compile_profiles.py
|
||||
+++ b/build-scripts/compile_profiles.py
|
||||
@@ -3,6 +3,7 @@
|
||||
import argparse
|
||||
import sys
|
||||
import os.path
|
||||
+from copy import deepcopy
|
||||
from glob import glob
|
||||
|
||||
import ssg.build_yaml
|
||||
@@ -36,7 +37,8 @@ def resolve(self, all_profiles):
|
||||
updated_variables.update(self.variables)
|
||||
self.variables = updated_variables
|
||||
|
||||
- updated_refinements = dict(extended_profile.refine_rules)
|
||||
+ extended_refinements = deepcopy(extended_profile.refine_rules)
|
||||
+ updated_refinements = self._subtract_refinements(extended_refinements)
|
||||
updated_refinements.update(self.refine_rules)
|
||||
self.refine_rules = updated_refinements
|
||||
|
||||
@@ -50,6 +52,18 @@ def resolve(self, all_profiles):
|
||||
|
||||
self.resolved = True
|
||||
|
||||
+ def _subtract_refinements(self, extended_refinements):
|
||||
+ """
|
||||
+ Given a dict of rule refinements from the extended profile,
|
||||
+ "undo" every refinement prefixed with '!' in this profile.
|
||||
+ """
|
||||
+ for rule, refinements in list(self.refine_rules.items()):
|
||||
+ if rule.startswith("!"):
|
||||
+ for prop, val in refinements:
|
||||
+ extended_refinements[rule[1:]].remove((prop, val))
|
||||
+ del self.refine_rules[rule]
|
||||
+ return extended_refinements
|
||||
+
|
||||
|
||||
def create_parser():
|
||||
parser = argparse.ArgumentParser()
|
||||
|
||||
From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 22:32:32 +0200
|
||||
Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules
|
||||
|
||||
Remove the zIPl rule refinementes from STIG profile
|
||||
---
|
||||
rhel8/profiles/stig.profile | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 69d5222a32..53647475aa 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -55,3 +55,5 @@ selections:
|
||||
- "!zipl_pti_argument"
|
||||
- "!zipl_slub_debug_argument"
|
||||
- "!zipl_vsyscall_argument"
|
||||
+ - "!zipl_vsyscall_argument.role=unscored"
|
||||
+ - "!zipl_vsyscall_argument.severity=info"
|
||||
|
||||
From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 09:38:57 +0200
|
||||
Subject: [PATCH 11/18] Update stable test for OSPP Profile
|
||||
|
||||
I just copied the resolved profile to profile_stability directory.
|
||||
---
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 08dcccf24c..5aa3592496 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -168,6 +168,7 @@ selections:
|
||||
- service_rngd_enabled
|
||||
- service_systemd-coredump_disabled
|
||||
- service_usbguard_enabled
|
||||
+- ssh_client_rekey_limit
|
||||
- sshd_disable_empty_passwords
|
||||
- sshd_disable_gssapi_auth
|
||||
- sshd_disable_kerb_auth
|
||||
@@ -213,8 +214,14 @@ selections:
|
||||
- sysctl_user_max_user_namespaces
|
||||
- timer_dnf-automatic_enabled
|
||||
- usbguard_allow_hid_and_hub
|
||||
+- zipl_audit_argument
|
||||
+- zipl_audit_backlog_limit_argument
|
||||
- zipl_bls_entries_only
|
||||
- zipl_bootmap_is_up_to_date
|
||||
+- zipl_page_poison_argument
|
||||
+- zipl_pti_argument
|
||||
+- zipl_slub_debug_argument
|
||||
+- zipl_vsyscall_argument
|
||||
- var_sshd_set_keepalive=0
|
||||
- var_rekey_limit_size=1G
|
||||
- var_rekey_limit_time=1hour
|
||||
@@ -238,11 +245,12 @@ selections:
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=never
|
||||
+- var_ssh_client_rekey_limit_size=1G
|
||||
+- var_ssh_client_rekey_limit_time=1hour
|
||||
- grub2_vsyscall_argument.role=unscored
|
||||
- grub2_vsyscall_argument.severity=info
|
||||
- sysctl_user_max_user_namespaces.role=unscored
|
||||
- sysctl_user_max_user_namespaces.severity=info
|
||||
-- ssh_client_rekey_limit
|
||||
-- var_ssh_client_rekey_limit_size=1G
|
||||
-- var_ssh_client_rekey_limit_time=1hour
|
||||
+- zipl_vsyscall_argument.role=unscored
|
||||
+- zipl_vsyscall_argument.severity=info
|
||||
title: Protection Profile for General Purpose Operating Systems
|
||||
|
||||
From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 15:15:25 +0200
|
||||
Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios
|
||||
|
||||
---
|
||||
.../tests/correct_option.pass.sh | 16 ++++++++++++++++
|
||||
.../tests/missing_in_cmdline.fail.sh | 14 ++++++++++++++
|
||||
.../tests/missing_in_entry.fail.sh | 14 ++++++++++++++
|
||||
3 files changed, 44 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a9bd49dd0b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
@@ -0,0 +1,16 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
+
|
||||
+# Make sure boot loader entries contain audit=1
|
||||
+for file in /boot/loader/entries/*.conf
|
||||
+do
|
||||
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
|
||||
+ sed -i '/^options / s/$/audit=1/' "$file"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+# Make sure /etc/kernel/cmdline contains audit=1
|
||||
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
||||
+ echo "audit=1" >> /etc/kernel/cmdline
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..d4d1d978c8
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
+
|
||||
+# Make sure boot loader entries contain audit=1
|
||||
+for file in /boot/loader/entries/*.conf
|
||||
+do
|
||||
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
|
||||
+ sed -i '/^options / s/$/audit=1/' "$file"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+# Make sure /etc/kernel/cmdline doesn't contain audit=1
|
||||
+sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..3e412c0542
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
+
|
||||
+# Remove audit=1 from all boot entries
|
||||
+sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
|
||||
+# But make sure one boot loader entry contains audit=1
|
||||
+sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
|
||||
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
|
||||
+
|
||||
+# Make sure /etc/kernel/cmdline contains audit=1
|
||||
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
||||
+ echo "audit=1" >> /etc/kernel/cmdline
|
||||
+fi
|
||||
|
||||
From 3b52ab44e043adb289ef0a96798cffaf3e1f35a1 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 15:34:52 +0200
|
||||
Subject: [PATCH 13/18] zipl_bls_entries_option: Remove hardcoded values
|
||||
|
||||
The template shouldn't have any hardcoded values.
|
||||
---
|
||||
shared/templates/template_BASH_zipl_bls_entries_option | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
|
||||
index 9fc8865486..dde8c948f7 100644
|
||||
--- a/shared/templates/template_BASH_zipl_bls_entries_option
|
||||
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
|
||||
@@ -7,6 +7,5 @@ grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
||||
if [ ! -f /etc/kernel/cmdline ]; then
|
||||
echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
|
||||
elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
|
||||
- echo " audit=1" >> /etc/kernel/cmdline
|
||||
- sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
|
||||
+ sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline
|
||||
fi
|
||||
|
||||
From 68bff71c7f60a7c68cf0bd9aa153f8a78ec02b7d Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 16:08:26 +0200
|
||||
Subject: [PATCH 14/18] Improve conditional check for the grubby command
|
||||
|
||||
Let's not trust that /boot/loader/entries/ only contains *.conf files.
|
||||
Count the number of conf files and how many set the propper options.
|
||||
---
|
||||
.../template_ANSIBLE_zipl_bls_entries_option | 14 +++++++++-----
|
||||
1 file changed, 9 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
||||
index c0cb131b82..bccad2267c 100644
|
||||
--- a/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
||||
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
||||
@@ -6,18 +6,22 @@
|
||||
|
||||
- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
|
||||
block:
|
||||
- - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
|
||||
+ - name: "Check how many boot entries exist "
|
||||
+ find:
|
||||
+ paths: "/boot/loader/entries/"
|
||||
+ patterns: "*.conf"
|
||||
+ register: n_entries
|
||||
+
|
||||
+ - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}"
|
||||
find:
|
||||
paths: "/boot/loader/entries/"
|
||||
contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
|
||||
patterns: "*.conf"
|
||||
- register: entries_options
|
||||
+ register: n_entries_options
|
||||
|
||||
- name: "Update boot entries options"
|
||||
command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
||||
- when: entries_options is defined and entries_options.examined != entries_options.matched
|
||||
- # The conditional above assumes that only *.conf files are present in /boot/loader/entries
|
||||
- # Then, the number of conf files is the same as examined files
|
||||
+ when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched
|
||||
|
||||
- name: "Check if /etc/kernel/cmdline exists"
|
||||
stat:
|
||||
|
||||
From 79c60bb40288c17381bf1e4a84e6cfd300bd8446 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 16:17:27 +0200
|
||||
Subject: [PATCH 15/18] zipl_bls_entries_option: Fix sed in test scenario
|
||||
|
||||
Append "audit=1" space from last option.
|
||||
---
|
||||
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
|
||||
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 2 +-
|
||||
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
index a9bd49dd0b..5fcbcc5667 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
@@ -6,7 +6,7 @@
|
||||
for file in /boot/loader/entries/*.conf
|
||||
do
|
||||
if ! grep -q '^options.*audit=1.*$' "$file" ; then
|
||||
- sed -i '/^options / s/$/audit=1/' "$file"
|
||||
+ sed -i '/^options / s/$/ audit=1/' "$file"
|
||||
fi
|
||||
done
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
index d4d1d978c8..b75165f904 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
@@ -6,7 +6,7 @@
|
||||
for file in /boot/loader/entries/*.conf
|
||||
do
|
||||
if ! grep -q '^options.*audit=1.*$' "$file" ; then
|
||||
- sed -i '/^options / s/$/audit=1/' "$file"
|
||||
+ sed -i '/^options / s/$/ audit=1/' "$file"
|
||||
fi
|
||||
done
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
index 3e412c0542..e3d342d533 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
@@ -5,7 +5,7 @@
|
||||
# Remove audit=1 from all boot entries
|
||||
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
|
||||
# But make sure one boot loader entry contains audit=1
|
||||
-sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
|
||||
+sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
|
||||
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
|
||||
|
||||
# Make sure /etc/kernel/cmdline contains audit=1
|
||||
|
||||
From d513177d2cea39db364a0ff39a599ded36a25395 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 16:29:06 +0200
|
||||
Subject: [PATCH 16/18] Extend scenarios platform and allow remediation
|
||||
|
||||
These test scenarios can be run on any OS that supports BLS and provides
|
||||
grubby.
|
||||
But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.:
|
||||
has s390utils-base installed).
|
||||
---
|
||||
.../zipl_audit_argument/tests/correct_option.pass.sh | 3 +--
|
||||
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 3 +--
|
||||
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 3 +--
|
||||
3 files changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
index 5fcbcc5667..73ed0eae0f 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
@@ -1,6 +1,5 @@
|
||||
#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
-# remediation = none
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
|
||||
# Make sure boot loader entries contain audit=1
|
||||
for file in /boot/loader/entries/*.conf
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
index b75165f904..3af83d30d8 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
||||
@@ -1,6 +1,5 @@
|
||||
#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
-# remediation = none
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
|
||||
# Make sure boot loader entries contain audit=1
|
||||
for file in /boot/loader/entries/*.conf
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
index e3d342d533..142f75ba60 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
@@ -1,6 +1,5 @@
|
||||
#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
-# remediation = none
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
|
||||
# Remove audit=1 from all boot entries
|
||||
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
|
||||
|
||||
From 2e841722d30551c86f14558ff39bdaa5dda55711 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Yuuma Sato <wsato@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 16:35:55 +0200
|
||||
Subject: [PATCH 17/18] Update comment in OVAL zipl_bls_entries_option
|
||||
|
||||
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
||||
---
|
||||
shared/templates/template_OVAL_zipl_bls_entries_option | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
index 9af1bcfbee..502d5e7d9a 100644
|
||||
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
|
||||
@@ -7,7 +7,7 @@
|
||||
</metadata>
|
||||
<criteria operator="AND">
|
||||
<criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
||||
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
|
||||
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
|
||||
<criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
|
||||
comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
|
||||
</criteria>
|
||||
|
||||
From 9bd0afbde47ef368444ba1785da593980e6e00aa Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 10 Jul 2020 17:15:46 +0200
|
||||
Subject: [PATCH 18/18] zipl_bls_entries_option: Supress grep error messages
|
||||
|
||||
/etc/kernel/cmdline is not always present. Lest suppress any error
|
||||
message about absent file in the test scenarios.
|
||||
---
|
||||
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
|
||||
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
index 73ed0eae0f..7a828837fe 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
||||
@@ -10,6 +10,6 @@ do
|
||||
done
|
||||
|
||||
# Make sure /etc/kernel/cmdline contains audit=1
|
||||
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
||||
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
||||
echo "audit=1" >> /etc/kernel/cmdline
|
||||
fi
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
index 142f75ba60..5650cc0a74 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
||||
@@ -8,6 +8,6 @@ sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
|
||||
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
|
||||
|
||||
# Make sure /etc/kernel/cmdline contains audit=1
|
||||
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
||||
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
||||
echo "audit=1" >> /etc/kernel/cmdline
|
||||
fi
|
@ -1,43 +0,0 @@
|
||||
From 5a5b3bdead44bd24fb138bd7b9785d4e0809ff4b Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 28 Jul 2020 13:22:58 +0200
|
||||
Subject: [PATCH 1/2] update wording for rhel7 profile
|
||||
|
||||
---
|
||||
rhel7/profiles/hipaa.profile | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile
|
||||
index 4310561323..000441de52 100644
|
||||
--- a/rhel7/profiles/hipaa.profile
|
||||
+++ b/rhel7/profiles/hipaa.profile
|
||||
@@ -12,6 +12,7 @@ description: |-
|
||||
|
||||
This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security
|
||||
Rule identified for securing of electronic protected health information.
|
||||
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
|
||||
|
||||
selections:
|
||||
- grub2_password
|
||||
|
||||
From 0c5cc87c4f8aaed8eb199b77440ae0dc64658e4a Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 28 Jul 2020 13:23:18 +0200
|
||||
Subject: [PATCH 2/2] update wording for rhel8 profile
|
||||
|
||||
---
|
||||
rhel8/profiles/hipaa.profile | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
|
||||
index 8d20f9019c..0cb7fbed1f 100644
|
||||
--- a/rhel8/profiles/hipaa.profile
|
||||
+++ b/rhel8/profiles/hipaa.profile
|
||||
@@ -12,6 +12,7 @@ description: |-
|
||||
|
||||
This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
|
||||
Rule identified for securing of electronic protected health information.
|
||||
+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
|
||||
|
||||
selections:
|
||||
- grub2_password
|
@ -1,52 +0,0 @@
|
||||
From 4c54b1cfb05961bde8248e03d27cabeca967e211 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 17 Aug 2020 10:59:15 +0200
|
||||
Subject: [PATCH] Remove SCAP-1.3 SCAPVAL workarounds
|
||||
|
||||
These changes to the DS cause SRC-330 to fail in SCAPVAL-1.3.5.
|
||||
In SCAPVAL-1.3.5 was fixed and these false positive workarounds are not
|
||||
necessary anymore.
|
||||
---
|
||||
tests/run_scapval.py | 26 --------------------------
|
||||
1 file changed, 26 deletions(-)
|
||||
|
||||
diff --git a/tests/run_scapval.py b/tests/run_scapval.py
|
||||
index e1dd806ca1..bc2655b9fd 100755
|
||||
--- a/tests/run_scapval.py
|
||||
+++ b/tests/run_scapval.py
|
||||
@@ -46,35 +46,9 @@ def process_results(result_path):
|
||||
return ret_val
|
||||
|
||||
|
||||
-def workaround_datastream(datastream_path):
|
||||
- tree = ET.parse(datastream_path)
|
||||
- root = tree.getroot()
|
||||
- # group_id and user_id cannot be zero
|
||||
- # tracked at https://github.com/OVAL-Community/OVAL/issues/23
|
||||
- for group_id_element in root.findall(".//{%s}group_id" % oval_unix_ns):
|
||||
- if group_id_element.text is not None:
|
||||
- group_id_element.text = "-1"
|
||||
- for user_id_element in root.findall(".//{%s}user_id" % oval_unix_ns):
|
||||
- if user_id_element.text is not None:
|
||||
- user_id_element.text = "-1"
|
||||
- # OCIL checks for security_patches_up_to_date is causing fail
|
||||
- # of SRC-377, when requirement is about OVAL checks.
|
||||
- rule_id = "xccdf_org.ssgproject.content_rule_security_patches_up_to_date"
|
||||
- for rule in root.findall(".//{%s}Rule[@id=\"%s\"]" % (xccdf_ns, rule_id)):
|
||||
- for check in rule.findall("{%s}check" % xccdf_ns):
|
||||
- system = check.get("system")
|
||||
- if system == "http://scap.nist.gov/schema/ocil/2":
|
||||
- rule.remove(check)
|
||||
- output_path = datastream_path + ".workaround.xml"
|
||||
- tree.write(output_path)
|
||||
- return output_path
|
||||
-
|
||||
-
|
||||
def test_datastream(datastream_path, scapval_path, scap_version):
|
||||
result_path = datastream_path + ".result.xml"
|
||||
report_path = datastream_path + ".report.html"
|
||||
- if scap_version == "1.3":
|
||||
- datastream_path = workaround_datastream(datastream_path)
|
||||
scapval_command = [
|
||||
"java",
|
||||
"-Xmx1024m",
|
@ -1,408 +0,0 @@
|
||||
From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 17:37:50 +0200
|
||||
Subject: [PATCH 1/9] create rule, check, bash remediation
|
||||
|
||||
---
|
||||
.../bash/shared.sh | 9 +++++
|
||||
.../oval/shared.xml | 1 +
|
||||
.../harden_openssl_crypto_policy/rule.yml | 33 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 2 --
|
||||
4 files changed, 43 insertions(+), 2 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..9838a13c95
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
|
||||
+
|
||||
+cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
|
||||
+file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
|
||||
+
|
||||
+#blank line at the begining to ease later readibility
|
||||
+echo '' > "$file"
|
||||
+echo "$cp" >> "$file"
|
||||
+update-crypto-policies
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..09199ce4da
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
|
||||
@@ -0,0 +1 @@
|
||||
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..afbdb36a23
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
@@ -0,0 +1,32 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Harden OpenSSL Crypto Policy'
|
||||
+
|
||||
+description: |-
|
||||
+ Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
|
||||
+ OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
|
||||
+ This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
|
||||
+ Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt> variable configured with predefined value.
|
||||
+
|
||||
+rationale: |-
|
||||
+ The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: 84286-4
|
||||
+
|
||||
+references:
|
||||
+ nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
|
||||
+ ospp : FCS_SSHS_EXT.1
|
||||
+ srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
|
||||
+
|
||||
+ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To verify if the OpenSSL uses defined Crypto Policy, run:
|
||||
+ <pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>
|
||||
+ and verify that the line matches
|
||||
+ <pre>84285-6</pre>
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index afc0d80417..01b321b6d5 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -904,8 +904,6 @@ CCE-84281-5
|
||||
CCE-84282-3
|
||||
CCE-84283-1
|
||||
CCE-84284-9
|
||||
-CCE-84285-6
|
||||
-CCE-84286-4
|
||||
CCE-84287-2
|
||||
CCE-84288-0
|
||||
CCE-84289-8
|
||||
|
||||
From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 17:38:32 +0200
|
||||
Subject: [PATCH 2/9] add tests
|
||||
|
||||
---
|
||||
.../harden_openssl_crypto_policy/tests/correct.pass.sh | 7 +++++++
|
||||
.../tests/correct_commented.fail.sh | 7 +++++++
|
||||
.../tests/correct_followed_by_incorrect.fail.sh | 8 ++++++++
|
||||
.../tests/empty_policy.fail.sh | 7 +++++++
|
||||
.../tests/incorrect_followed_by_correct.pass.sh | 8 ++++++++
|
||||
.../tests/incorrect_policy.fail.sh | 7 +++++++
|
||||
.../tests/missing_file.fail.sh | 7 +++++++
|
||||
7 files changed, 51 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..9e59b30bd2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
|
||||
+
|
||||
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..91863849b3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
|
||||
+
|
||||
+echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..f44957d3e1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
|
||||
+
|
||||
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
|
||||
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..5b14fe8ef4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
|
||||
+
|
||||
+echo "Ciphersuites=" > "$configfile"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6be3bb2ffa
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
|
||||
+
|
||||
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
|
||||
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b4fd0f97be
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
|
||||
+
|
||||
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..2d11d227cb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
|
||||
+
|
||||
+rm -f "$configfile"
|
||||
|
||||
From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 09:05:38 +0200
|
||||
Subject: [PATCH 3/9] remove blank line from remediation
|
||||
|
||||
---
|
||||
.../crypto/harden_openssl_crypto_policy/bash/shared.sh | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
|
||||
index 9838a13c95..be6f84f83d 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
|
||||
@@ -3,7 +3,6 @@
|
||||
cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
|
||||
file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
|
||||
|
||||
-#blank line at the begining to ease later readibility
|
||||
-echo '' > "$file"
|
||||
+
|
||||
echo "$cp" >> "$file"
|
||||
update-crypto-policies
|
||||
|
||||
From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 09:06:02 +0200
|
||||
Subject: [PATCH 4/9] fix separator regex in oval
|
||||
|
||||
---
|
||||
.../crypto/harden_openssl_crypto_policy/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
|
||||
index 09199ce4da..37be62ee39 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
|
||||
@@ -1 +1 @@
|
||||
-{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
|
||||
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}}
|
||||
|
||||
From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 9 Jul 2020 09:06:29 +0200
|
||||
Subject: [PATCH 5/9] reformat rule, fix wrong ocil
|
||||
|
||||
---
|
||||
.../harden_openssl_crypto_policy/rule.yml | 22 ++++++++++++++-----
|
||||
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
index afbdb36a23..d019d6cd32 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
@@ -5,13 +5,23 @@ prodtype: rhel8
|
||||
title: 'Harden OpenSSL Crypto Policy'
|
||||
|
||||
description: |-
|
||||
- Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
|
||||
- OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
|
||||
- This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
|
||||
- Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt> variable configured with predefined value.
|
||||
+ Crypto Policies are means of enforcing certain cryptographic settings for
|
||||
+ selected applications including OpenSSL. OPenSSL is by default configured to
|
||||
+ modify its configuration based on currently configured Crypto-Policy.
|
||||
+ However, in certain cases it might be needed to override the Crypto Policy
|
||||
+ specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
|
||||
+ be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
|
||||
+ <tt>xxx</tt> with arbitrary identifier, into
|
||||
+ <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
|
||||
+ <tt>update-crypto-policies</tt> so that changes are applied. Changes are
|
||||
+ propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>.
|
||||
+ This rule checks if this file contains predefined <tt>Ciphersuites</tt>
|
||||
+ variable configured with predefined value.
|
||||
|
||||
rationale: |-
|
||||
- The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
|
||||
+ The Common Criteria requirements specify that certain parameters for OpenSSL
|
||||
+ are configured e.g. cipher suites. Currently particular requirements
|
||||
+ specified by CC are stricter compared to any existing Crypto Policy.
|
||||
|
||||
severity: medium
|
||||
|
||||
@@ -30,4 +40,4 @@ ocil: |-
|
||||
To verify if the OpenSSL uses defined Crypto Policy, run:
|
||||
<pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>
|
||||
and verify that the line matches
|
||||
- <pre>84285-6</pre>
|
||||
+ <pre>Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</pre>
|
||||
|
||||
From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 13 Jul 2020 09:49:34 +0200
|
||||
Subject: [PATCH 6/9] update references
|
||||
|
||||
---
|
||||
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
index d019d6cd32..075e381906 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
@@ -31,8 +31,8 @@ identifiers:
|
||||
|
||||
references:
|
||||
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
|
||||
- ospp : FCS_SSHS_EXT.1
|
||||
- srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
|
||||
+ ospp: FCS_TLSC_EXT.1.1
|
||||
+ srg: SRG-OS-000250-GPOS-00093
|
||||
|
||||
ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
|
||||
|
||||
|
||||
From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 13 Jul 2020 09:49:48 +0200
|
||||
Subject: [PATCH 7/9] add ansible remediation
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..d5c2c2b9f7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
|
||||
@@ -0,0 +1,16 @@
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# reboot = true
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config"
|
||||
+ lineinfile:
|
||||
+ path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config"
|
||||
+ line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
|
||||
+ create: yes
|
||||
+ insertafter: EOF
|
||||
+
|
||||
+- name: "Update system crypto policy for changes to take effect"
|
||||
+ command:
|
||||
+ cmd: "update-crypto-policies"
|
||||
|
||||
From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Wed, 15 Jul 2020 09:26:11 +0200
|
||||
Subject: [PATCH 8/9] fix typos
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Co-authored-by: Jan Černý <jcerny@redhat.com>
|
||||
---
|
||||
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
index 075e381906..ce0351aa34 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
@@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy'
|
||||
|
||||
description: |-
|
||||
Crypto Policies are means of enforcing certain cryptographic settings for
|
||||
- selected applications including OpenSSL. OPenSSL is by default configured to
|
||||
- modify its configuration based on currently configured Crypto-Policy.
|
||||
+ selected applications including OpenSSL. OpenSSL is by default configured to
|
||||
+ modify its configuration based on currently configured Crypto Policy.
|
||||
However, in certain cases it might be needed to override the Crypto Policy
|
||||
- specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
|
||||
+ specific to OpenSSL and leave rest of the Crypto Policy intact. This can
|
||||
be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
|
||||
<tt>xxx</tt> with arbitrary identifier, into
|
||||
<tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
|
||||
|
||||
From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 15 Jul 2020 09:36:06 +0200
|
||||
Subject: [PATCH 9/9] update rule references
|
||||
|
||||
---
|
||||
.../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
index ce0351aa34..0cbead2a6d 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
|
||||
@@ -30,8 +30,8 @@ identifiers:
|
||||
|
||||
references:
|
||||
- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
|
||||
+ nist: SC-8(1),SC-13
|
||||
ospp: FCS_TLSC_EXT.1.1
|
||||
- srg: SRG-OS-000250-GPOS-00093
|
||||
+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223
|
||||
|
||||
ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
|
||||
|
@ -1,48 +0,0 @@
|
||||
From eb3a18cea5776038d0aeef0299083fcd282a0177 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Mon, 17 Aug 2020 15:56:40 +0200
|
||||
Subject: [PATCH] Add a missing Crypto Policy rule to OSPP.
|
||||
|
||||
The rule fell out by mistake, this addition complements #4682
|
||||
---
|
||||
rhel8/profiles/ospp.profile | 1 +
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 1 +
|
||||
tests/data/profile_stability/rhel8/stig.profile | 5 +++--
|
||||
3 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index 5b5b5b711a..a651885eef 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -235,6 +235,7 @@ selections:
|
||||
- enable_fips_mode
|
||||
- var_system_crypto_policy=fips_ospp
|
||||
- configure_crypto_policy
|
||||
+ - configure_ssh_crypto_policy
|
||||
- configure_bind_crypto_policy
|
||||
- configure_openssl_crypto_policy
|
||||
- configure_libreswan_crypto_policy
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 5aa3592496..13c4e6b08d 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -62,6 +62,7 @@ selections:
|
||||
- configure_kerberos_crypto_policy
|
||||
- configure_libreswan_crypto_policy
|
||||
- configure_openssl_crypto_policy
|
||||
+- configure_ssh_crypto_policy
|
||||
- configure_tmux_lock_after_time
|
||||
- configure_tmux_lock_command
|
||||
- configure_usbguard_auditbackend
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 9b164eb5c2..c7fe02169a 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -77,6 +77,7 @@ selections:
|
||||
- configure_kerberos_crypto_policy
|
||||
- configure_libreswan_crypto_policy
|
||||
- configure_openssl_crypto_policy
|
||||
+- configure_ssh_crypto_policy
|
||||
- configure_tmux_lock_after_time
|
||||
- configure_tmux_lock_command
|
||||
- configure_usbguard_auditbackend
|
@ -1,22 +0,0 @@
|
||||
From 87e62e90df9995de6aca436e9242c0ac4d72e136 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 13:55:12 +0200
|
||||
Subject: [PATCH] Added SRG to configure_ssh_crypto_policy
|
||||
|
||||
https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2016-04-25/finding/V-56935
|
||||
---
|
||||
.../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
index e2dd99dbb5..51788a3226 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
@@ -24,6 +24,7 @@ identifiers:
|
||||
references:
|
||||
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
|
||||
cis@rhel8: 5.2.20
|
||||
+ srg: SRG-OS-000250-GPOS-00093
|
||||
|
||||
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
|
||||
|
@ -1,884 +0,0 @@
|
||||
From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 25 Jun 2020 18:29:31 +0200
|
||||
Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS
|
||||
|
||||
Instead of having each zIPL argument rule check for BLS compliance,
|
||||
let's split into its own rule.
|
||||
---
|
||||
.../zipl_audit_argument/rule.yml | 6 -----
|
||||
.../rule.yml | 6 -----
|
||||
.../zipl_bls_entries_only/rule.yml | 24 +++++++++++++++++++
|
||||
.../zipl_enable_selinux/rule.yml | 6 -----
|
||||
.../zipl_page_poison_argument/rule.yml | 6 -----
|
||||
.../zipl_pti_argument/rule.yml | 6 -----
|
||||
.../zipl_slub_debug_argument/rule.yml | 6 -----
|
||||
.../zipl_vsyscall_argument/rule.yml | 6 -----
|
||||
8 files changed, 24 insertions(+), 42 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
index 2d31ef8ee7..1211a53295 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To ensure all processes can be audited, even those which start prior to the audit daemon,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
|
||||
included in its options.<br />
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to enable audit,
|
||||
@@ -30,10 +28,6 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
||||
|
||||
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
-
|
||||
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 40db232257..7d88e38686 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
|
||||
included in its options.<br />
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
@@ -31,10 +29,6 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
||||
|
||||
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
-
|
||||
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..b6ccbb5343
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
@@ -0,0 +1,24 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Ensure all zIPL boot entries are BLS compliant'
|
||||
+
|
||||
+description: |-
|
||||
+ Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
|
||||
+ by checking that <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of
|
||||
+ configuration.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'a non BLS boot entry is configured'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Check that no boot image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
+ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
index 8d28d5495f..1c3bfeb246 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To ensure SELinux is not disabled at boot time,
|
||||
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
|
||||
included in its options.<br />
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
rationale: |-
|
||||
@@ -27,10 +25,6 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that disables SELinux.
|
||||
|
||||
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
-
|
||||
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
index 0a8e9a41e2..6dbfd501b7 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To enable poisoning of free pages,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
|
||||
included in its options.<br />
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to enable page poisoning,
|
||||
@@ -31,10 +29,6 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
|
||||
|
||||
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
-
|
||||
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
index 20c1448cc8..555fdf2b66 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To enable Kernel page-table isolation,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
||||
included in its options.<br />
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to enable page-table isolation,
|
||||
@@ -30,10 +28,6 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
||||
|
||||
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
-
|
||||
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index 54ac688ea0..dd7865bf81 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To enable poisoning of SLUB/SLAB objects,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
||||
included in its options.<br />
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
@@ -31,10 +29,6 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that does not enable poisoning.
|
||||
|
||||
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
-
|
||||
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index c5979a2016..18b7ade460 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To disable use of virtual syscalls,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
|
||||
included in its options.<br />
|
||||
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
||||
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
||||
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to disable virtual syscalls,
|
||||
@@ -28,10 +26,6 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
|
||||
|
||||
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
||||
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
||||
-
|
||||
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
and <tt>/etc/zipl.conf</tt>:
|
||||
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
|
||||
From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 2 Jul 2020 09:52:39 +0200
|
||||
Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests
|
||||
|
||||
---
|
||||
.../zipl_bls_entries_only/oval/shared.xml | 27 +++++++++++++++++++
|
||||
.../tests/image_configured.fail.sh | 6 +++++
|
||||
.../tests/no_image.pass.sh | 7 +++++
|
||||
3 files changed, 40 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..41e9773814
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
@@ -0,0 +1,27 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="zipl_bls_entries_only" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Ensure zIPL entries are BLS compliant</title>
|
||||
+ {{{- oval_affected(products) }}}
|
||||
+ <description>Check if /etc/zipl.conf configures any boot entry</description>
|
||||
+ </metadata>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion test_ref="test_zipl_bls_entries_only"
|
||||
+ comment="Test presence of image configuration in /etc/zipl.conf" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_zipl_bls_entries_only"
|
||||
+ comment="Test presence of image configuration in /etc/zipl.conf"
|
||||
+ check="all" check_existence="none_exist" version="1">
|
||||
+ <ind:object object_ref="object_zipl_bls_entries_only" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
|
||||
+ version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..e3adb99638
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
+
|
||||
+# Make sure no image configured in zipl config file
|
||||
+echo 'image = /boot/image' >> /etc/zipl.conf
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..47626442f6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
+
|
||||
+# Make sure no image configured in zipl config file
|
||||
+sed -Ei '/^image\s*=/d' /etc/zipl.conf
|
||||
+true
|
||||
|
||||
From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 2 Jul 2020 11:09:08 +0200
|
||||
Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning
|
||||
|
||||
Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
|
||||
is tricky and can lead to broken entries or removal of all of them.
|
||||
---
|
||||
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
index b6ccbb5343..f792c5257f 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
@@ -22,3 +22,8 @@ ocil: |-
|
||||
No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
|
||||
|
||||
platform: machine
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
|
||||
+ automated remediation for this rule is not available.
|
||||
|
||||
From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 25 Jun 2020 18:51:04 +0200
|
||||
Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap
|
||||
|
||||
Instead of having each zIPL argument rule check if zIPL bootmap is up to
|
||||
date, let's split it into its own rule.
|
||||
---
|
||||
.../zipl_audit_argument/rule.yml | 6 -----
|
||||
.../rule.yml | 7 -----
|
||||
.../zipl_bootmap_is_up_to_date/rule.yml | 27 +++++++++++++++++++
|
||||
.../zipl_enable_selinux/rule.yml | 6 -----
|
||||
.../zipl_page_poison_argument/rule.yml | 7 -----
|
||||
.../zipl_pti_argument/rule.yml | 7 -----
|
||||
.../zipl_slub_debug_argument/rule.yml | 7 -----
|
||||
.../zipl_vsyscall_argument/rule.yml | 7 -----
|
||||
8 files changed, 27 insertions(+), 47 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
index 1211a53295..624b4e7041 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -8,7 +8,6 @@ description: |-
|
||||
To ensure all processes can be audited, even those which start prior to the audit daemon,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
|
||||
included in its options.<br />
|
||||
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
To ensure that new kernels and boot entries continue to enable audit,
|
||||
add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
@@ -28,9 +27,4 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
||||
|
||||
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
- and <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
-
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 7d88e38686..faf114591a 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
|
||||
included in its options.<br />
|
||||
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
-
|
||||
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
@@ -29,9 +27,4 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
||||
|
||||
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
- and <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
-
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..082562d11e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
@@ -0,0 +1,27 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Ensure zIPL bootmap is up to date'
|
||||
+
|
||||
+description: |-
|
||||
+ Make sure that <tt>/boot/bootmap</tt> is up to date.<br />
|
||||
+ Every time a boot entry or zIPL configuration is changed <tt>/boot/bootmap</tt> needs to
|
||||
+ be updated to reflect the changes.<br />
|
||||
+ Run <tt>zipl</tt> command to generate an updated <tt>/boot/bootmap</tt>.
|
||||
+
|
||||
+rationale: |-
|
||||
+ The file <tt>/boot/bootmap</tt> contains all boot data, keeping it up to date is crucial to
|
||||
+ boot correct kernel and options.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+ocil_clause: 'the bootmap is outdated'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
+ and <tt>/etc/zipl.conf</tt>:
|
||||
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> is outdated and needs to be regenerated.
|
||||
+
|
||||
+platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
index 1c3bfeb246..b0bc0fc374 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
||||
@@ -8,7 +8,6 @@ description: |-
|
||||
To ensure SELinux is not disabled at boot time,
|
||||
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
|
||||
included in its options.<br />
|
||||
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
|
||||
rationale: |-
|
||||
Disabling a major host protection feature, such as SELinux, at boot time prevents
|
||||
@@ -25,9 +24,4 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that disables SELinux.
|
||||
|
||||
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
- and <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
-
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
index 6dbfd501b7..866664c01b 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To enable poisoning of free pages,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
|
||||
included in its options.<br />
|
||||
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
|
||||
-
|
||||
To ensure that new kernels and boot entries continue to enable page poisoning,
|
||||
add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
@@ -29,9 +27,4 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
|
||||
|
||||
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
- and <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
-
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
index 555fdf2b66..2f02d9668c 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To enable Kernel page-table isolation,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
||||
included in its options.<br />
|
||||
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
-
|
||||
To ensure that new kernels and boot entries continue to enable page-table isolation,
|
||||
add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
@@ -28,9 +26,4 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
||||
|
||||
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
- and <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
-
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index dd7865bf81..0cb10d3cd8 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To enable poisoning of SLUB/SLAB objects,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
||||
included in its options.<br />
|
||||
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
-
|
||||
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
||||
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
@@ -29,9 +27,4 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that does not enable poisoning.
|
||||
|
||||
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
- and <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
-
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index 18b7ade460..f79adeb083 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -8,8 +8,6 @@ description: |-
|
||||
To disable use of virtual syscalls,
|
||||
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
|
||||
included in its options.<br />
|
||||
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
||||
-
|
||||
To ensure that new kernels and boot entries continue to disable virtual syscalls,
|
||||
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
|
||||
@@ -26,9 +24,4 @@ ocil: |-
|
||||
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
|
||||
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
|
||||
|
||||
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
||||
- and <tt>/etc/zipl.conf</tt>:
|
||||
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
||||
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
||||
-
|
||||
platform: machine
|
||||
|
||||
From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 2 Jul 2020 15:59:31 +0200
|
||||
Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check
|
||||
|
||||
---
|
||||
.../oval/shared.xml | 46 +++++++++++++++++++
|
||||
1 file changed, 46 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..6c446cbe59
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
|
||||
@@ -0,0 +1,46 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="zipl_bootmap_is_up_to_date" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Ensure zIPL bootmap is up to date</title>
|
||||
+ {{{- oval_affected(products) }}}
|
||||
+ <description>Check if /boot/bootmap is up to date</description>
|
||||
+ </metadata>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion test_ref="test_zipl_bootmap_is_up_to_date"
|
||||
+ comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <unix:file_test check="all" check_existence="all_exist" id="test_zipl_bootmap_is_up_to_date" version="1" comment="Check /boot/bootmap timestamps">
|
||||
+ <unix:object object_ref="object_zipl_boot_bootmap_file" />
|
||||
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_zipl_conf" />
|
||||
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_boot_entries" />
|
||||
+ </unix:file_test>
|
||||
+
|
||||
+ <unix:file_object id="object_zipl_boot_bootmap_file" comment="current bootmap state" version="1">
|
||||
+ <unix:filepath>/boot/bootmap</unix:filepath>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- Newer means modified more recently, which means more seconds since epoch -->
|
||||
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_zipl_conf" version="1">
|
||||
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
|
||||
+ var_ref="variable_zipl_conf_file_age" />
|
||||
+ </unix:file_state>
|
||||
+ <local_variable id="variable_zipl_conf_file_age" version="1" comment="Age of /etc/zipl.conf" datatype="int">
|
||||
+ <object_component object_ref="zipl_conf_file" item_field="m_time"/>
|
||||
+ </local_variable>
|
||||
+ <unix:file_object id="zipl_conf_file" comment="/etc/zipl.conf state" version="1">
|
||||
+ <unix:filepath datatype="string">/etc/zipl.conf</unix:filepath>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_boot_entries" version="1">
|
||||
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
|
||||
+ var_ref="variable_boot_entry_files_age" />
|
||||
+ </unix:file_state>
|
||||
+ <local_variable id="variable_boot_entry_files_age" version="1" comment="Age of /boot/loader/entries/*.conf files" datatype="int">
|
||||
+ <object_component object_ref="boot_entry_files" item_field="m_time"/>
|
||||
+ </local_variable>
|
||||
+ <unix:file_object id="boot_entry_files" comment="/boot/loader/entries/*.conf states" version="1">
|
||||
+ <unix:filepath datatype="string" operation="pattern match">^/boot/loader/entries/.*\.conf$</unix:filepath>
|
||||
+ </unix:file_object>
|
||||
+</def-group>
|
||||
|
||||
From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 2 Jul 2020 16:15:35 +0200
|
||||
Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests
|
||||
|
||||
These tests mock existence of zIPL files.
|
||||
---
|
||||
.../tests/newer_boot_entry.fail.sh | 10 ++++++++++
|
||||
.../tests/newer_zipl_conf.fail.sh | 10 ++++++++++
|
||||
.../tests/up_to_date.pass.sh | 9 +++++++++
|
||||
3 files changed, 29 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..728c6b7bdb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
+
|
||||
+touch /etc/zipl.conf
|
||||
+touch /boot/loader/entries/*.conf # Update current existing entries
|
||||
+touch /boot/loader/entries/zipl-entry-1.conf
|
||||
+touch /boot/bootmap
|
||||
+sleep 2
|
||||
+touch /boot/loader/entries/zipl-entry-2.conf
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..1ae4d631ee
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
+
|
||||
+touch /boot/loader/entries/*.conf # Update current existing entries
|
||||
+touch /boot/loader/entries/zipl-entry-1.conf
|
||||
+touch /boot/loader/entries/zipl-entry-2.conf
|
||||
+touch /boot/bootmap
|
||||
+sleep 2
|
||||
+touch /etc/zipl.conf
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7981ba8c5c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# remediation = none
|
||||
+
|
||||
+touch /etc/zipl.conf
|
||||
+touch /boot/loader/entries/*.conf # Update current existing entries
|
||||
+touch /boot/loader/entries/zipl-entry-1.conf
|
||||
+touch /boot/loader/entries/zipl-entry-2.conf
|
||||
+touch /boot/bootmap
|
||||
|
||||
From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 3 Jul 2020 18:35:06 +0200
|
||||
Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 24 +++++++++++++++++++
|
||||
.../zipl_bootmap_is_up_to_date/bash/shared.sh | 3 +++
|
||||
2 files changed, 27 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..e545eacc13
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
|
||||
@@ -0,0 +1,24 @@
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Ensure zIPL bootmap is up to date"
|
||||
+ block:
|
||||
+ - name: "Obtain stats of /boot/bootmap"
|
||||
+ stat:
|
||||
+ path: /boot/bootmap
|
||||
+ register: boot_bootmap
|
||||
+
|
||||
+ - name: "Obtain stats of /etc/zipl.conf"
|
||||
+ stat:
|
||||
+ path: /etc/zipl.conf
|
||||
+ register: zipl_conf
|
||||
+
|
||||
+ # TODO: handle /boot/loader/entries/*.conf
|
||||
+
|
||||
+ - name: "Update zIPL bootmap"
|
||||
+ command: /usr/sbin/zipl
|
||||
+ changed_when: True
|
||||
+ when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..2cf7e388f0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+/usr/bin/zipl
|
||||
|
||||
From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 1 Jul 2020 17:16:41 +0200
|
||||
Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile
|
||||
|
||||
---
|
||||
rhel8/profiles/ospp.profile | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index 07d32b814d..80e4b71fff 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -415,3 +415,7 @@ selections:
|
||||
- ssh_client_rekey_limit
|
||||
- var_ssh_client_rekey_limit_size=1G
|
||||
- var_ssh_client_rekey_limit_time=1hour
|
||||
+
|
||||
+ # zIPl specific rules
|
||||
+ - zipl_bls_entries_only
|
||||
+ - zipl_bootmap_is_up_to_date
|
||||
|
||||
From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 14:03:21 +0200
|
||||
Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation
|
||||
|
||||
---
|
||||
.../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
||||
index 2cf7e388f0..2310ca060d 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
||||
@@ -1,3 +1,3 @@
|
||||
# platform = Red Hat Enterprise Linux 8
|
||||
|
||||
-/usr/bin/zipl
|
||||
+/usr/sbin/zipl
|
||||
|
||||
From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 14:06:22 +0200
|
||||
Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces
|
||||
|
||||
There can be leading spaces before 'image'.
|
||||
---
|
||||
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
index 41e9773814..f68d91c128 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
@@ -20,7 +20,7 @@
|
||||
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
|
||||
version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
|
||||
From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 14:10:22 +0200
|
||||
Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf
|
||||
|
||||
There is no need to perform pattern match, the check just needs to
|
||||
examine /etc/zipl.conf file.
|
||||
---
|
||||
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
index f68d91c128..1ebf03ee37 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
||||
@@ -19,7 +19,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
|
||||
version="1">
|
||||
- <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
|
||||
+ <ind:filepath operation="equals">/etc/zipl.conf</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 14:13:26 +0200
|
||||
Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules
|
||||
|
||||
Add RHEL-8 CCE identifiers for:
|
||||
- zipl_bls_entries_only
|
||||
- zipl_bootmap_is_up_to_date
|
||||
---
|
||||
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++
|
||||
.../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++
|
||||
3 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
index f792c5257f..67cc061ce3 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
@@ -14,6 +14,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel8: 83485-3
|
||||
+
|
||||
ocil_clause: 'a non BLS boot entry is configured'
|
||||
|
||||
ocil: |-
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
index 082562d11e..da9411d00b 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
@@ -16,6 +16,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel8: 83486-1
|
||||
+
|
||||
ocil_clause: 'the bootmap is outdated'
|
||||
|
||||
ocil: |-
|
||||
|
||||
From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 14:16:58 +0200
|
||||
Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test
|
||||
|
||||
Update the profile reference file.
|
||||
---
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index b0d7672c36..08dcccf24c 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -213,6 +213,8 @@ selections:
|
||||
- sysctl_user_max_user_namespaces
|
||||
- timer_dnf-automatic_enabled
|
||||
- usbguard_allow_hid_and_hub
|
||||
+- zipl_bls_entries_only
|
||||
+- zipl_bootmap_is_up_to_date
|
||||
- var_sshd_set_keepalive=0
|
||||
- var_rekey_limit_size=1G
|
||||
- var_rekey_limit_time=1hour
|
||||
|
||||
From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 8 Jul 2020 15:28:09 +0200
|
||||
Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile
|
||||
|
||||
The zIPL rules are inherited from OSPP profile
|
||||
---
|
||||
rhel8/profiles/stig.profile | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 8f12852e26..cfc2160be1 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -45,3 +45,7 @@ selections:
|
||||
- rsyslog_remote_tls
|
||||
- rsyslog_remote_tls_cacert
|
||||
- "!ssh_client_rekey_limit"
|
||||
+
|
||||
+ # Unselect zIPL rules from OSPP
|
||||
+ - "!zipl_bls_entries_only"
|
||||
+ - "!zipl_bootmap_is_up_to_date"
|
@ -1,209 +0,0 @@
|
||||
From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 7 Jul 2020 11:31:59 +0200
|
||||
Subject: [PATCH 1/3] modify rule description and ocil
|
||||
|
||||
---
|
||||
.../selinux_all_devicefiles_labeled/rule.yml | 19 +++++++++++--------
|
||||
1 file changed, 11 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
|
||||
index 765fca583e..1667557740 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
|
||||
@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux'
|
||||
|
||||
description: |-
|
||||
Device files, which are used for communication with important system
|
||||
- resources, should be labeled with proper SELinux types. If any device
|
||||
- files do not carry the SELinux type <tt>device_t</tt>, report the bug so
|
||||
- that policy can be corrected. Supply information about what the device is
|
||||
- and what programs use it.
|
||||
+ resources, should be labeled with proper SELinux types. If any device files
|
||||
+ carry the SELinux type <tt>device_t</tt> or <tt>unlabeled_t</tt>, report the
|
||||
+ bug so that policy can be corrected. Supply information about what the
|
||||
+ device is and what programs use it.
|
||||
<br /><br />
|
||||
- To check for unlabeled device files, run the following command:
|
||||
+ To check for incorrectly labeled device files, run following commands:
|
||||
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
|
||||
+ <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
|
||||
It should produce no output in a well-configured system.
|
||||
|
||||
rationale: |-
|
||||
- If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
|
||||
- cannot properly restrict access to the device file.
|
||||
+ If a device file carries the SELinux type <tt>device_t</tt> or
|
||||
+ <tt>unlabeled_t</tt>, then SELinux cannot properly restrict access to the
|
||||
+ device file.
|
||||
|
||||
severity: medium
|
||||
|
||||
@@ -45,8 +47,9 @@ references:
|
||||
ocil_clause: 'there is output'
|
||||
|
||||
ocil: |-
|
||||
- To check for unlabeled device files, run the following command:
|
||||
+ To check for incorrectly labeled device files, run following commands:
|
||||
<pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
|
||||
+ <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
|
||||
It should produce no output in a well-configured system.
|
||||
|
||||
warnings:
|
||||
|
||||
From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 7 Jul 2020 11:32:57 +0200
|
||||
Subject: [PATCH 2/3] updated oval to check only device files
|
||||
|
||||
---
|
||||
.../oval/shared.xml | 64 +++++++++++++------
|
||||
1 file changed, 43 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
|
||||
index 51b68008af..7dcfb98577 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
|
||||
@@ -2,32 +2,54 @@
|
||||
<definition class="compliance" id="selinux_all_devicefiles_labeled" version="1">
|
||||
<metadata>
|
||||
<title>Device Files Have Proper SELinux Context</title>
|
||||
- <affected family="unix">
|
||||
- <platform>Red Hat Enterprise Linux 6</platform>
|
||||
- <platform>Red Hat Enterprise Linux 7</platform>
|
||||
- <platform>Red Hat Enterprise Linux 8</platform>
|
||||
- <platform>Red Hat Virtualization 4</platform>
|
||||
- <platform>multi_platform_fedora</platform>
|
||||
- <platform>multi_platform_ol</platform>
|
||||
- <platform>multi_platform_wrlinux</platform>
|
||||
- </affected>
|
||||
- <description>All device files in /dev should be assigned an SELinux security context other than 'device_t'.</description>
|
||||
+ {{{- oval_affected(products) }}}
|
||||
+ <description>All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.</description>
|
||||
</metadata>
|
||||
- <criteria>
|
||||
- <criterion comment="device_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" />
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="device_t in /dev" test_ref="test_selinux_dev_device_t" />
|
||||
+ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_dev_unlabeled_t" />
|
||||
</criteria>
|
||||
</definition>
|
||||
- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_all_devicefiles_labeled" version="2">
|
||||
- <linux:object object_ref="object_selinux_all_devicefiles_labeled" />
|
||||
- <linux:state state_ref="state_selinux_all_devicefiles_labeled" />
|
||||
+
|
||||
+ <!-- collect all special files from /dev directory -->
|
||||
+ <unix:file_object id="object_dev_device_files" comment="device files within /dev directory" version="1">
|
||||
+ <unix:behaviors recurse_direction="down" />
|
||||
+ <unix:path operation="equals">/dev</unix:path>
|
||||
+ <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
+ <filter action="include">state_block_or_char_device_file</filter>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <unix:file_state id="state_block_or_char_device_file" version="1" comment="device files" >
|
||||
+ <unix:type operation="pattern match">^(block|character) special$</unix:type>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <local_variable id="variable_dev_device_files" comment="all device files within /dev directory" datatype="string" version="1">
|
||||
+ <object_component object_ref="object_dev_device_files" item_field="filepath" />
|
||||
+ </local_variable>
|
||||
+
|
||||
+
|
||||
+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_dev_device_t" version="2">
|
||||
+ <linux:object object_ref="object_selinux_dev_device_t" />
|
||||
+ <linux:state state_ref="state_selinux_dev_device_t" />
|
||||
</linux:selinuxsecuritycontext_test>
|
||||
- <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1">
|
||||
- <linux:behaviors recurse_direction="down" />
|
||||
- <linux:path>/dev</linux:path>
|
||||
- <linux:filename operation="pattern match">^.*$</linux:filename>
|
||||
- <filter action="include">state_selinux_all_devicefiles_labeled</filter>
|
||||
+ <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_dev_device_t" version="1">
|
||||
+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
|
||||
+ <filter action="include">state_selinux_dev_device_t</filter>
|
||||
</linux:selinuxsecuritycontext_object>
|
||||
- <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1">
|
||||
+ <linux:selinuxsecuritycontext_state comment="device_t label" id="state_selinux_dev_device_t" version="1">
|
||||
<linux:type datatype="string" operation="equals">device_t</linux:type>
|
||||
</linux:selinuxsecuritycontext_state>
|
||||
+
|
||||
+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_dev_unlabeled_t" version="2">
|
||||
+ <linux:object object_ref="object_selinux_dev_unlabeled_t" />
|
||||
+ <linux:state state_ref="state_selinux_dev_unlabeled_t" />
|
||||
+ </linux:selinuxsecuritycontext_test>
|
||||
+ <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_dev_unlabeled_t" version="1">
|
||||
+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
|
||||
+ <filter action="include">state_selinux_dev_unlabeled_t</filter>
|
||||
+ </linux:selinuxsecuritycontext_object>
|
||||
+ <linux:selinuxsecuritycontext_state comment="unlabeled_t label" id="state_selinux_dev_unlabeled_t" version="1">
|
||||
+ <linux:type datatype="string" operation="equals">unlabeled_t</linux:type>
|
||||
+ </linux:selinuxsecuritycontext_state>
|
||||
+
|
||||
</def-group>
|
||||
|
||||
From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 7 Jul 2020 11:33:26 +0200
|
||||
Subject: [PATCH 3/3] add tests
|
||||
|
||||
---
|
||||
.../tests/block_device_device_t.fail.sh | 4 ++++
|
||||
.../tests/char_device_unlabeled_t.fail.sh | 14 ++++++++++++++
|
||||
.../tests/regular_file_device_t.pass.sh | 4 ++++
|
||||
.../tests/symlink_with_wrong_label.pass.sh | 4 ++++
|
||||
4 files changed, 26 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
|
||||
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..08c4142e5b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+mknod /dev/foo b 1 5
|
||||
+chcon -t device_t /dev/foo
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..1da85c2034
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# selinux does not allow unlabeled_t in /dev
|
||||
+# we have to modify the selinux policy to allow that
|
||||
+
|
||||
+echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil
|
||||
+semodule -i /tmp/unlabeled_t.cil
|
||||
+
|
||||
+mknod /dev/foo c 1 5
|
||||
+chcon -t unlabeled_t /dev/foo
|
||||
+
|
||||
+
|
||||
+mknod /dev/foo c 1 5
|
||||
+chcon -t device_t /dev/foo
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..d161951d7a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+touch /dev/foo
|
||||
+restorecon -F /dev/foo
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a8280bf37e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+ln -s /dev/cpu /dev/foo
|
||||
+restorecon -F /dev/foo
|
@ -1,280 +0,0 @@
|
||||
From 844be904d8de624abe9bbe620d7a06417dfff842 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 27 Aug 2020 13:19:01 +0200
|
||||
Subject: [PATCH 1/5] Align Ansible task applicability with CPE platform
|
||||
|
||||
Adds a when clause to Ansible snippets of rules with Package CPE platform.
|
||||
|
||||
If the when clause is added, a fact_packages Task needs to added as
|
||||
well.
|
||||
---
|
||||
ssg/build_remediations.py | 52 ++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 49 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index a9ef3014ac..597aed5889 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -6,8 +6,7 @@
|
||||
import os.path
|
||||
import re
|
||||
import codecs
|
||||
-from collections import defaultdict, namedtuple
|
||||
-
|
||||
+from collections import defaultdict, namedtuple, OrderedDict
|
||||
|
||||
import ssg.yaml
|
||||
from . import build_yaml
|
||||
@@ -343,11 +342,46 @@ def _get_rule_reference(self, ref_class):
|
||||
else:
|
||||
return []
|
||||
|
||||
+ def inject_package_facts_task(self, parsed_snippet):
|
||||
+ """ Injects a package_facts task only if
|
||||
+ the snippet has a task with a when clause with ansible_facts.packages,
|
||||
+ and the snippet doesn't already have an package_facts task
|
||||
+ """
|
||||
+ has_package_facts_task = False
|
||||
+ has_ansible_facts_packages_clause = False
|
||||
+
|
||||
+ for p_task in parsed_snippet:
|
||||
+ # We are only interested in the OrderedDicts, which represent Ansible tasks
|
||||
+ if not isinstance(p_task, dict):
|
||||
+ continue
|
||||
+
|
||||
+ if "package_facts" in p_task:
|
||||
+ has_package_facts_task = True
|
||||
+
|
||||
+ if "ansible_facts.packages" in p_task.get("when", ""):
|
||||
+ has_ansible_facts_packages_clause = True
|
||||
+
|
||||
+ if has_ansible_facts_packages_clause and not has_package_facts_task:
|
||||
+ facts_task = OrderedDict({'name': 'Gather the package facts',
|
||||
+ 'package_facts': {'manager': 'auto'}})
|
||||
+ parsed_snippet.insert(0, facts_task)
|
||||
+
|
||||
def update_when_from_rule(self, to_update):
|
||||
additional_when = ""
|
||||
- if self.associated_rule.platform == "machine":
|
||||
- additional_when = ('ansible_virtualization_role != "guest" '
|
||||
- 'or ansible_virtualization_type != "docker"')
|
||||
+ rule_platform = self.associated_rule.platform
|
||||
+ if rule_platform == "machine":
|
||||
+ additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
|
||||
+ elif rule_platform is not None:
|
||||
+ # Assume any other platform is a Package CPE
|
||||
+
|
||||
+ # It doesn't make sense to add a conditional on the task that
|
||||
+ # gathers data for the conditional
|
||||
+ if "package_facts" in to_update:
|
||||
+ return
|
||||
+
|
||||
+ additional_when = '"' + rule_platform + '" in ansible_facts.packages'
|
||||
+ # After adding the conditional, we need to make sure package_facts are collected.
|
||||
+ # This is done via inject_package_facts_task()
|
||||
to_update.setdefault("when", "")
|
||||
new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
|
||||
if not new_when:
|
||||
@@ -355,10 +390,21 @@ def update_when_from_rule(self, to_update):
|
||||
to_update["when"] = new_when
|
||||
|
||||
def update(self, parsed, config):
|
||||
+ # We split the remediation update in three steps
|
||||
+
|
||||
+ # 1. Update the when clause
|
||||
for p in parsed:
|
||||
if not isinstance(p, dict):
|
||||
continue
|
||||
self.update_when_from_rule(p)
|
||||
+
|
||||
+ # 2. Inject any extra task necessary
|
||||
+ self.inject_package_facts_task(parsed)
|
||||
+
|
||||
+ # 3. Add tags to all tasks, including the ones we have injected
|
||||
+ for p in parsed:
|
||||
+ if not isinstance(p, dict):
|
||||
+ continue
|
||||
self.update_tags_from_config(p, config)
|
||||
self.update_tags_from_rule(p)
|
||||
|
||||
|
||||
From 60e5723e0e35ec8d79bafdd113f04691e61738e7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 27 Aug 2020 17:09:06 +0200
|
||||
Subject: [PATCH 2/5] Add inherited_platform to Rule
|
||||
|
||||
This field is exported to the rule when it is resolved.
|
||||
---
|
||||
ssg/build_yaml.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
|
||||
index 4ba114eee4..fe290ffc05 100644
|
||||
--- a/ssg/build_yaml.py
|
||||
+++ b/ssg/build_yaml.py
|
||||
@@ -832,6 +832,7 @@ class Rule(object):
|
||||
"conflicts": lambda: list(),
|
||||
"requires": lambda: list(),
|
||||
"platform": lambda: None,
|
||||
+ "inherited_platforms": lambda: list(),
|
||||
"template": lambda: None,
|
||||
}
|
||||
|
||||
@@ -851,6 +852,7 @@ def __init__(self, id_):
|
||||
self.requires = []
|
||||
self.conflicts = []
|
||||
self.platform = None
|
||||
+ self.inherited_platforms = [] # platforms inherited from the group
|
||||
self.template = None
|
||||
|
||||
@classmethod
|
||||
@@ -1293,6 +1295,9 @@ def _process_rules(self):
|
||||
continue
|
||||
self.all_rules.add(rule)
|
||||
self.loaded_group.add_rule(rule)
|
||||
+
|
||||
+ rule.inherited_platforms.append(self.loaded_group.platform)
|
||||
+
|
||||
if self.resolved_rules_dir:
|
||||
output_for_rule = os.path.join(
|
||||
self.resolved_rules_dir, "{id_}.yml".format(id_=rule.id_))
|
||||
|
||||
From 3a0bb0d2981670e90a8eaca53b28e1a6f7cc29d6 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 27 Aug 2020 17:21:35 +0200
|
||||
Subject: [PATCH 3/5] Add when clauses for inherited platforms too
|
||||
|
||||
Consider the Rule's Group platform while including 'when' clauses to
|
||||
Ansible snippets.
|
||||
|
||||
Some rules have two platforms, a machine platform and a package
|
||||
platform. One of them is represented of the Rule, and the other is
|
||||
represented in the Rule's Group.
|
||||
|
||||
The platforms are organized like this to due limiation in XCCDF,
|
||||
multiple platforms in a Rule are ORed, not ANDed.
|
||||
---
|
||||
ssg/build_remediations.py | 44 ++++++++++++++++++++++++---------------
|
||||
1 file changed, 27 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index 597aed5889..a2a996d0af 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -358,8 +358,13 @@ def inject_package_facts_task(self, parsed_snippet):
|
||||
if "package_facts" in p_task:
|
||||
has_package_facts_task = True
|
||||
|
||||
- if "ansible_facts.packages" in p_task.get("when", ""):
|
||||
- has_ansible_facts_packages_clause = True
|
||||
+ # When clause of the task can be string or a list, lets normalize to list
|
||||
+ task_when = p_task.get("when", "")
|
||||
+ if type(task_when) is str:
|
||||
+ task_when = [ task_when ]
|
||||
+ for when in task_when:
|
||||
+ if "ansible_facts.packages" in when:
|
||||
+ has_ansible_facts_packages_clause = True
|
||||
|
||||
if has_ansible_facts_packages_clause and not has_package_facts_task:
|
||||
facts_task = OrderedDict({'name': 'Gather the package facts',
|
||||
@@ -367,21 +372,26 @@ def inject_package_facts_task(self, parsed_snippet):
|
||||
parsed_snippet.insert(0, facts_task)
|
||||
|
||||
def update_when_from_rule(self, to_update):
|
||||
- additional_when = ""
|
||||
- rule_platform = self.associated_rule.platform
|
||||
- if rule_platform == "machine":
|
||||
- additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
|
||||
- elif rule_platform is not None:
|
||||
- # Assume any other platform is a Package CPE
|
||||
-
|
||||
- # It doesn't make sense to add a conditional on the task that
|
||||
- # gathers data for the conditional
|
||||
- if "package_facts" in to_update:
|
||||
- return
|
||||
-
|
||||
- additional_when = '"' + rule_platform + '" in ansible_facts.packages'
|
||||
- # After adding the conditional, we need to make sure package_facts are collected.
|
||||
- # This is done via inject_package_facts_task()
|
||||
+ additional_when = []
|
||||
+
|
||||
+ rule_platforms = set([self.associated_rule.platform] +
|
||||
+ self.associated_rule.inherited_platforms)
|
||||
+
|
||||
+ for platform in rule_platforms:
|
||||
+ if platform == "machine":
|
||||
+ additional_when.append('ansible_virtualization_type not in ["docker", "lxc", "openvz"]')
|
||||
+ elif platform is not None:
|
||||
+ # Assume any other platform is a Package CPE
|
||||
+
|
||||
+ # It doesn't make sense to add a conditional on the task that
|
||||
+ # gathers data for the conditional
|
||||
+ if "package_facts" in to_update:
|
||||
+ continue
|
||||
+
|
||||
+ additional_when.append('"' + platform + '" in ansible_facts.packages')
|
||||
+ # After adding the conditional, we need to make sure package_facts are collected.
|
||||
+ # This is done via inject_package_facts_task()
|
||||
+
|
||||
to_update.setdefault("when", "")
|
||||
new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
|
||||
if not new_when:
|
||||
|
||||
From 99c92e39bccc3fcfadca41096e66ca146137b207 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 31 Aug 2020 16:06:14 +0200
|
||||
Subject: [PATCH 4/5] Improve inherihted and rule's platforms handling
|
||||
|
||||
Add a quick comment too.
|
||||
---
|
||||
ssg/build_remediations.py | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index a2a996d0af..9e622ef740 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -374,8 +374,9 @@ def inject_package_facts_task(self, parsed_snippet):
|
||||
def update_when_from_rule(self, to_update):
|
||||
additional_when = []
|
||||
|
||||
- rule_platforms = set([self.associated_rule.platform] +
|
||||
- self.associated_rule.inherited_platforms)
|
||||
+ # There can be repeated inherited platforms and rule platforms
|
||||
+ rule_platforms = set(self.associated_rule.inherited_platforms)
|
||||
+ rule_platforms.add(self.associated_rule.platform)
|
||||
|
||||
for platform in rule_platforms:
|
||||
if platform == "machine":
|
||||
|
||||
From 596da9993edfbd244cbaa6d797abbd68b2e82185 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 31 Aug 2020 16:10:53 +0200
|
||||
Subject: [PATCH 5/5] Code style and grammar changes
|
||||
|
||||
---
|
||||
ssg/build_remediations.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index 9e622ef740..866450dd8c 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -345,7 +345,7 @@ def _get_rule_reference(self, ref_class):
|
||||
def inject_package_facts_task(self, parsed_snippet):
|
||||
""" Injects a package_facts task only if
|
||||
the snippet has a task with a when clause with ansible_facts.packages,
|
||||
- and the snippet doesn't already have an package_facts task
|
||||
+ and the snippet doesn't already have a package_facts task
|
||||
"""
|
||||
has_package_facts_task = False
|
||||
has_ansible_facts_packages_clause = False
|
||||
@@ -361,7 +361,7 @@ def inject_package_facts_task(self, parsed_snippet):
|
||||
# When clause of the task can be string or a list, lets normalize to list
|
||||
task_when = p_task.get("when", "")
|
||||
if type(task_when) is str:
|
||||
- task_when = [ task_when ]
|
||||
+ task_when = [task_when]
|
||||
for when in task_when:
|
||||
if "ansible_facts.packages" in when:
|
||||
has_ansible_facts_packages_clause = True
|
@ -1,241 +0,0 @@
|
||||
From c05cce1a4a5eb95be857b07948fda0c95cdaa106 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Sep 2020 14:36:07 +0200
|
||||
Subject: [PATCH 1/5] Align Bash applicability with CPE platform
|
||||
|
||||
Wraps the remediation of rules with Packager CPE Platform
|
||||
with an if condition that checks for the respective
|
||||
platforms's package.
|
||||
---
|
||||
ssg/build_remediations.py | 45 +++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 45 insertions(+)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index ccbdf9fc1f..2d4a805e78 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -27,6 +27,13 @@
|
||||
'kubernetes': '.yml'
|
||||
}
|
||||
|
||||
+PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
|
||||
+ 'apt_get': 'dpkg-query -s {} &>/dev/null',
|
||||
+ 'dnf': 'rpm --quiet -q {}',
|
||||
+ 'yum': 'rpm --quiet -q {}',
|
||||
+ 'zypper': 'rpm --quiet -q {}',
|
||||
+}
|
||||
+
|
||||
FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
|
||||
|
||||
REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot',
|
||||
@@ -262,6 +269,44 @@ class BashRemediation(Remediation):
|
||||
def __init__(self, file_path):
|
||||
super(BashRemediation, self).__init__(file_path, "bash")
|
||||
|
||||
+ def parse_from_file_with_jinja(self, env_yaml):
|
||||
+ self.local_env_yaml.update(env_yaml)
|
||||
+ result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
|
||||
+
|
||||
+ # There can be repeated inherited platforms and rule platforms
|
||||
+ rule_platforms = set(self.associated_rule.inherited_platforms)
|
||||
+ rule_platforms.add(self.associated_rule.platform)
|
||||
+
|
||||
+ platform_conditionals = []
|
||||
+ for platform in rule_platforms:
|
||||
+ if platform == "machine":
|
||||
+ # Based on check installed_env_is_a_container
|
||||
+ platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]')
|
||||
+ elif platform is not None:
|
||||
+ # Assume any other platform is a Package CPE
|
||||
+
|
||||
+ # Some package names are different from the platform names
|
||||
+ if platform in self.local_env_yaml["platform_package_overrides"]:
|
||||
+ platform = self.local_env_yaml["platform_package_overrides"].get(platform)
|
||||
+
|
||||
+ # Adjust package check command according to the pkg_manager
|
||||
+ pkg_manager = self.local_env_yaml["pkg_manager"]
|
||||
+ pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager]
|
||||
+ platform_conditionals.append(pkg_check_command.format(platform))
|
||||
+
|
||||
+ if platform_conditionals:
|
||||
+ platform_fix_text = "# Remediation is applicable only in certain platforms\n"
|
||||
+
|
||||
+ cond = platform_conditionals.pop(0)
|
||||
+ platform_fix_text += "if {}".format(cond)
|
||||
+ for cond in platform_conditionals:
|
||||
+ platform_fix_text += " && {}".format(cond)
|
||||
+ platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
|
||||
+
|
||||
+ remediation = namedtuple('remediation', ['contents', 'config'])
|
||||
+ result = remediation(contents=platform_fix_text, config=result.config)
|
||||
+
|
||||
+ return result
|
||||
|
||||
class AnsibleRemediation(Remediation):
|
||||
def __init__(self, file_path):
|
||||
|
||||
From 19e0c3b709e091159655d37b8ce5d693750f0a81 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Sep 2020 14:41:01 +0200
|
||||
Subject: [PATCH 2/5] Handle Bash platform wrapping in xccdf expansion
|
||||
|
||||
Adjust expansion of subs and variables not to remove the whole beginning
|
||||
of the fix test. This was removing the package conditional wrapping.
|
||||
---
|
||||
ssg/build_remediations.py | 21 ++++++++++++---------
|
||||
1 file changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index 2d4a805e78..49ec557000 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -736,14 +736,16 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
|
||||
patcomp = re.compile(pattern, re.DOTALL)
|
||||
fixparts = re.split(patcomp, fix.text)
|
||||
if fixparts[0] is not None:
|
||||
- # Split the portion of fix.text from fix start to first call of
|
||||
- # remediation function, keeping only the third part:
|
||||
- # * tail to hold part of the fix.text after inclusion,
|
||||
- # but before first call of remediation function
|
||||
+ # Split the portion of fix.text at the string remediation_functions,
|
||||
+ # and remove preceeding comment whenever it is there.
|
||||
+ # * head holds part of the fix.text before
|
||||
+ # remediation_functions string
|
||||
+ # * tail holds part of the fix.text after the
|
||||
+ # remediation_functions string
|
||||
try:
|
||||
- rfpattern = '(.*remediation_functions)(.*)'
|
||||
- rfpatcomp = re.compile(rfpattern, re.DOTALL)
|
||||
- _, _, tail, _ = re.split(rfpatcomp, fixparts[0], maxsplit=2)
|
||||
+ rfpattern = r'((?:# Include source function library\.\n)?.*remediation_functions)'
|
||||
+ rfpatcomp = re.compile(rfpattern)
|
||||
+ head, _, tail = re.split(rfpatcomp, fixparts[0], maxsplit=1)
|
||||
except ValueError:
|
||||
sys.stderr.write("Processing fix.text for: %s rule\n"
|
||||
% fix.get('rule'))
|
||||
@@ -751,9 +753,10 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
|
||||
"after inclusion of remediation functions."
|
||||
" Aborting..\n")
|
||||
sys.exit(1)
|
||||
- # If the 'tail' is not empty, make it new fix.text.
|
||||
+ # If the 'head' is not empty, make it new fix.text.
|
||||
# Otherwise use ''
|
||||
- fix.text = tail if tail is not None else ''
|
||||
+ fix.text = head if head is not None else ''
|
||||
+ fix.text += tail if tail is not None else ''
|
||||
# Drop the first element of 'fixparts' since it has been processed
|
||||
fixparts.pop(0)
|
||||
# Perform sanity check on new 'fixparts' list content (to continue
|
||||
|
||||
From 1292b93dc35a9a308464f1effb7f10f8de6db457 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Sep 2020 20:56:17 +0200
|
||||
Subject: [PATCH 3/5] Check if remediation has associated rule before use
|
||||
|
||||
---
|
||||
ssg/build_remediations.py | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index 49ec557000..85f7139d8f 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -273,9 +273,11 @@ def parse_from_file_with_jinja(self, env_yaml):
|
||||
self.local_env_yaml.update(env_yaml)
|
||||
result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
|
||||
|
||||
- # There can be repeated inherited platforms and rule platforms
|
||||
- rule_platforms = set(self.associated_rule.inherited_platforms)
|
||||
- rule_platforms.add(self.associated_rule.platform)
|
||||
+ rule_platforms = set()
|
||||
+ if self.associated_rule:
|
||||
+ # There can be repeated inherited platforms and rule platforms
|
||||
+ rule_platforms.update(self.associated_rule.inherited_platforms)
|
||||
+ rule_platforms.add(self.associated_rule.platform)
|
||||
|
||||
platform_conditionals = []
|
||||
for platform in rule_platforms:
|
||||
|
||||
From 7953a02e61bb56b501c56f46972247751292dcbb Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Sep 2020 10:59:43 +0200
|
||||
Subject: [PATCH 4/5] Fix python2 compat and improve code readability
|
||||
|
||||
---
|
||||
ssg/build_remediations.py | 29 ++++++++++++++++++-----------
|
||||
1 file changed, 18 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index 85f7139d8f..673d6d0cc6 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -28,10 +28,10 @@
|
||||
}
|
||||
|
||||
PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
|
||||
- 'apt_get': 'dpkg-query -s {} &>/dev/null',
|
||||
- 'dnf': 'rpm --quiet -q {}',
|
||||
- 'yum': 'rpm --quiet -q {}',
|
||||
- 'zypper': 'rpm --quiet -q {}',
|
||||
+ 'apt_get': 'dpkg-query -s {0} &>/dev/null',
|
||||
+ 'dnf': 'rpm --quiet -q {0}',
|
||||
+ 'yum': 'rpm --quiet -q {0}',
|
||||
+ 'zypper': 'rpm --quiet -q {0}',
|
||||
}
|
||||
|
||||
FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
|
||||
@@ -297,16 +297,23 @@ def parse_from_file_with_jinja(self, env_yaml):
|
||||
platform_conditionals.append(pkg_check_command.format(platform))
|
||||
|
||||
if platform_conditionals:
|
||||
- platform_fix_text = "# Remediation is applicable only in certain platforms\n"
|
||||
+ wrapped_fix_text = ["# Remediation is applicable only in certain platforms"]
|
||||
|
||||
- cond = platform_conditionals.pop(0)
|
||||
- platform_fix_text += "if {}".format(cond)
|
||||
- for cond in platform_conditionals:
|
||||
- platform_fix_text += " && {}".format(cond)
|
||||
- platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
|
||||
+ all_conditions = " && ".join(platform_conditionals)
|
||||
+ wrapped_fix_text.append("if {0}; then".format(all_conditions))
|
||||
+
|
||||
+ # Avoid adding extra blank line
|
||||
+ if not result.contents.startswith("\n"):
|
||||
+ wrapped_fix_text.append("")
|
||||
+
|
||||
+ wrapped_fix_text.append("{0}".format(result.contents))
|
||||
+ wrapped_fix_text.append("")
|
||||
+ wrapped_fix_text.append("else")
|
||||
+ wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'")
|
||||
+ wrapped_fix_text.append("fi")
|
||||
|
||||
remediation = namedtuple('remediation', ['contents', 'config'])
|
||||
- result = remediation(contents=platform_fix_text, config=result.config)
|
||||
+ result = remediation(contents="\n".join(wrapped_fix_text), config=result.config)
|
||||
|
||||
return result
|
||||
|
||||
|
||||
From 0bd3912651367c64789bb3d67b44c3b8848708c0 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Sep 2020 17:25:27 +0200
|
||||
Subject: [PATCH 5/5] Document the perils of indenting wrapped Bash fixes
|
||||
|
||||
---
|
||||
ssg/build_remediations.py | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index 673d6d0cc6..f269d4d2d6 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -306,6 +306,9 @@ def parse_from_file_with_jinja(self, env_yaml):
|
||||
if not result.contents.startswith("\n"):
|
||||
wrapped_fix_text.append("")
|
||||
|
||||
+ # It is possible to indent the original body of the remediation with textwrap.indent(),
|
||||
+ # however, it is not supported by python2, and there is a risk of breaking remediations
|
||||
+ # For example, remediations with a here-doc block could be affected.
|
||||
wrapped_fix_text.append("{0}".format(result.contents))
|
||||
wrapped_fix_text.append("")
|
||||
wrapped_fix_text.append("else")
|
@ -1,203 +0,0 @@
|
||||
From 7c0b04c157374e9251360d1d5e12a9e00dd4375e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 4 Sep 2020 09:50:54 +0200
|
||||
Subject: [PATCH 1/3] Introduce platform_package_overrides
|
||||
|
||||
Introduce a mapping of CPE package platform name to a package name.
|
||||
|
||||
Each linux distro or version may have its specific name for a package,
|
||||
this mapping allows a product to override the package name of a
|
||||
platorm.
|
||||
|
||||
By default, it assumes that the package name will be the same as the
|
||||
platform name.
|
||||
---
|
||||
rhel8/product.yml | 7 +++++++
|
||||
ssg/build_remediations.py | 3 +++
|
||||
2 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/rhel8/product.yml b/rhel8/product.yml
|
||||
index 6cdc51919e..6b5b4e2748 100644
|
||||
--- a/rhel8/product.yml
|
||||
+++ b/rhel8/product.yml
|
||||
@@ -18,3 +18,10 @@ aux_pkg_version: "d4082792"
|
||||
|
||||
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
|
||||
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
|
||||
+
|
||||
+# Mapping of CPE platform to package
|
||||
+platform_package_overrides:
|
||||
+ grub2: "grub2-pc"
|
||||
+ login_defs: "shadow-utils"
|
||||
+ sssd: "sssd-common"
|
||||
+ zipl: "s390x-utils"
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index 866450dd8c..ccbdf9fc1f 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -389,6 +389,9 @@ def update_when_from_rule(self, to_update):
|
||||
if "package_facts" in to_update:
|
||||
continue
|
||||
|
||||
+ if platform in self.local_env_yaml["platform_package_overrides"]:
|
||||
+ platform = self.local_env_yaml["platform_package_overrides"].get(platform)
|
||||
+
|
||||
additional_when.append('"' + platform + '" in ansible_facts.packages')
|
||||
# After adding the conditional, we need to make sure package_facts are collected.
|
||||
# This is done via inject_package_facts_task()
|
||||
|
||||
From 10dc62084cf8e38be9189b527c3b99b545826091 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 4 Sep 2020 14:42:57 +0200
|
||||
Subject: [PATCH 2/3] Move platform to cpe mappings to ssg/constants
|
||||
|
||||
---
|
||||
rhel8/product.yml | 6 ------
|
||||
ssg/constants.py | 8 ++++++++
|
||||
2 files changed, 8 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhel8/product.yml b/rhel8/product.yml
|
||||
index 6b5b4e2748..d839b23231 100644
|
||||
--- a/rhel8/product.yml
|
||||
+++ b/rhel8/product.yml
|
||||
@@ -19,9 +19,3 @@ aux_pkg_version: "d4082792"
|
||||
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
|
||||
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
|
||||
|
||||
-# Mapping of CPE platform to package
|
||||
-platform_package_overrides:
|
||||
- grub2: "grub2-pc"
|
||||
- login_defs: "shadow-utils"
|
||||
- sssd: "sssd-common"
|
||||
- zipl: "s390x-utils"
|
||||
diff --git a/ssg/constants.py b/ssg/constants.py
|
||||
index 3f9d7d37ce..7e9678241c 100644
|
||||
--- a/ssg/constants.py
|
||||
+++ b/ssg/constants.py
|
||||
@@ -501,6 +501,14 @@
|
||||
"zipl": "cpe:/a:zipl",
|
||||
}
|
||||
|
||||
+# Default platform to package mapping
|
||||
+XCCDF_PLATFORM_TO_PACKAGE = {
|
||||
+ "grub2": "grub2-pc",
|
||||
+ "login_defs": "login",
|
||||
+ "sssd": "sssd-common",
|
||||
+ "zipl": "s390x-utils",
|
||||
+}
|
||||
+
|
||||
# _version_name_map = {
|
||||
MAKEFILE_ID_TO_PRODUCT_MAP = {
|
||||
'chromium': 'Google Chromium Browser',
|
||||
|
||||
From feb012f06adae989138be15431020f2c174becc4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 4 Sep 2020 14:47:29 +0200
|
||||
Subject: [PATCH 3/3] Allow override of default platform package mapping
|
||||
|
||||
With default platform to package mappings defined, we need to allow a
|
||||
product to override it if needed.
|
||||
---
|
||||
rhel6/product.yml | 4 ++++
|
||||
rhel7/product.yml | 4 ++++
|
||||
rhel8/product.yml | 3 +++
|
||||
rhosp10/product.yml | 3 +++
|
||||
rhosp13/product.yml | 4 ++++
|
||||
rhv4/product.yml | 4 ++++
|
||||
ssg/yaml.py | 6 +++++-
|
||||
8 files changed, 31 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/rhel6/product.yml b/rhel6/product.yml
|
||||
index cc8fa4f8ed..eab9b80c47 100644
|
||||
--- a/rhel6/product.yml
|
||||
+++ b/rhel6/product.yml
|
||||
@@ -20,3 +20,7 @@ aux_pkg_version: "2fa658e0"
|
||||
|
||||
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
|
||||
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
|
||||
+
|
||||
+# Mapping of CPE platform to package
|
||||
+platform_package_overrides:
|
||||
+ login_defs: "shadow-utils"
|
||||
diff --git a/rhel7/product.yml b/rhel7/product.yml
|
||||
index f03c928b8f..3ff996b8cc 100644
|
||||
--- a/rhel7/product.yml
|
||||
+++ b/rhel7/product.yml
|
||||
@@ -18,3 +18,7 @@ aux_pkg_version: "2fa658e0"
|
||||
|
||||
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
|
||||
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
|
||||
+
|
||||
+# Mapping of CPE platform to package
|
||||
+platform_package_overrides:
|
||||
+ login_defs: "shadow-utils"
|
||||
diff --git a/rhel8/product.yml b/rhel8/product.yml
|
||||
index d839b23231..f3aa59faec 100644
|
||||
--- a/rhel8/product.yml
|
||||
+++ b/rhel8/product.yml
|
||||
@@ -19,3 +19,6 @@ aux_pkg_version: "d4082792"
|
||||
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
|
||||
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
|
||||
|
||||
+# Mapping of CPE platform to package
|
||||
+platform_package_overrides:
|
||||
+ login_defs: "shadow-utils"
|
||||
diff --git a/rhosp10/product.yml b/rhosp10/product.yml
|
||||
index 51d0a932a5..af42ca998d 100644
|
||||
--- a/rhosp10/product.yml
|
||||
+++ b/rhosp10/product.yml
|
||||
@@ -10,3 +10,6 @@ pkg_manager: "yum"
|
||||
|
||||
init_system: "systemd"
|
||||
|
||||
+# Mapping of CPE platform to package
|
||||
+platform_package_overrides:
|
||||
+ login_defs: "shadow-utils"
|
||||
diff --git a/rhosp13/product.yml b/rhosp13/product.yml
|
||||
index 5e849ff609..ba42a31cd7 100644
|
||||
--- a/rhosp13/product.yml
|
||||
+++ b/rhosp13/product.yml
|
||||
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
|
||||
pkg_manager: "yum"
|
||||
|
||||
init_system: "systemd"
|
||||
+
|
||||
+# Mapping of CPE platform to package
|
||||
+platform_package_overrides:
|
||||
+ login_defs: "shadow-utils"
|
||||
diff --git a/rhv4/product.yml b/rhv4/product.yml
|
||||
index 10a2eda079..a61bf1588d 100644
|
||||
--- a/rhv4/product.yml
|
||||
+++ b/rhv4/product.yml
|
||||
@@ -18,3 +18,7 @@ aux_pkg_version: "d4082792"
|
||||
|
||||
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
|
||||
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
|
||||
+
|
||||
+# Mapping of CPE platform to package
|
||||
+platform_package_overrides:
|
||||
+ login_defs: "shadow-utils"
|
||||
diff --git a/ssg/yaml.py b/ssg/yaml.py
|
||||
index cefbba374c..22cf5bad66 100644
|
||||
--- a/ssg/yaml.py
|
||||
+++ b/ssg/yaml.py
|
||||
@@ -10,7 +10,8 @@
|
||||
|
||||
from .jinja import load_macros, process_file
|
||||
from .constants import (PKG_MANAGER_TO_SYSTEM,
|
||||
- PKG_MANAGER_TO_CONFIG_FILE)
|
||||
+ PKG_MANAGER_TO_CONFIG_FILE,
|
||||
+ XCCDF_PLATFORM_TO_PACKAGE)
|
||||
from .constants import DEFAULT_UID_MIN
|
||||
|
||||
try:
|
||||
@@ -138,6 +139,9 @@ def open_raw(yaml_file):
|
||||
|
||||
def open_environment(build_config_yaml, product_yaml):
|
||||
contents = open_raw(build_config_yaml)
|
||||
+ # Load common platform package mappings,
|
||||
+ # any specific mapping in product_yaml will override the default
|
||||
+ contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
|
||||
contents.update(open_raw(product_yaml))
|
||||
contents.update(_get_implied_properties(contents))
|
||||
return contents
|
@ -1,183 +0,0 @@
|
||||
From 8a6e3fcbe387e6b5476375448964dab198d94959 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 2 Sep 2020 10:01:45 +0200
|
||||
Subject: [PATCH] add CUI kickstart for rhel8
|
||||
|
||||
---
|
||||
rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++++++++++++++++++++++++++
|
||||
1 file changed, 167 insertions(+)
|
||||
create mode 100644 rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
new file mode 100644
|
||||
index 0000000000..0957fded96
|
||||
--- /dev/null
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
@@ -0,0 +1,167 @@
|
||||
+# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8
|
||||
+#
|
||||
+# Based on:
|
||||
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
+
|
||||
+# Install a fresh new system (optional)
|
||||
+install
|
||||
+
|
||||
+# Specify installation method to use for installation
|
||||
+# To use a different one comment out the 'url' one below, update
|
||||
+# the selected choice with proper options & un-comment it
|
||||
+#
|
||||
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
+# --url the URL to install from
|
||||
+#
|
||||
+# Example:
|
||||
+#
|
||||
+# url --url=http://192.168.122.1/image
|
||||
+#
|
||||
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
+# environment machine is to be installed in
|
||||
+#
|
||||
+# Other possible / supported installation methods:
|
||||
+# * install from the first CD-ROM/DVD drive on the system:
|
||||
+#
|
||||
+# cdrom
|
||||
+#
|
||||
+# * install from a directory of ISO images on a local drive:
|
||||
+#
|
||||
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
+#
|
||||
+# * install from provided NFS server:
|
||||
+#
|
||||
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
+#
|
||||
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||
+lang en_US.UTF-8
|
||||
+
|
||||
+# Set system keyboard type / layout (required)
|
||||
+keyboard us
|
||||
+
|
||||
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
+# --onboot enable device at a boot time
|
||||
+# --device device to be activated and / or configured with the network command
|
||||
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
+# --noipv6 disable IPv6 on this device
|
||||
+#
|
||||
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
+# "--bootproto=static" must be used. For example:
|
||||
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
+#
|
||||
+network --onboot yes --bootproto dhcp
|
||||
+
|
||||
+# Set the system's root password (required)
|
||||
+# Plaintext password is: server
|
||||
+# Refer to e.g.
|
||||
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
+# to see how to create encrypted password form for different plaintext password
|
||||
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||
+
|
||||
+# The selected profile will restrict root login
|
||||
+# Add a user that can login and escalate privileges
|
||||
+# Plaintext password is: admin123
|
||||
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
+
|
||||
+# Configure firewall settings for the system (optional)
|
||||
+# --enabled reject incoming connections that are not in response to outbound requests
|
||||
+# --ssh allow sshd service through the firewall
|
||||
+firewall --enabled --ssh
|
||||
+
|
||||
+# Set up the authentication options for the system (required)
|
||||
+# --enableshadow enable shadowed passwords by default
|
||||
+# --passalgo hash / crypt algorithm for new passwords
|
||||
+# See the manual page for authconfig for a complete list of possible options.
|
||||
+authconfig --enableshadow --passalgo=sha512
|
||||
+
|
||||
+# State of SELinux on the installed system (optional)
|
||||
+# Defaults to enforcing
|
||||
+selinux --enforcing
|
||||
+
|
||||
+# Set the system time zone (required)
|
||||
+timezone --utc America/New_York
|
||||
+
|
||||
+# Specify how the bootloader should be installed (required)
|
||||
+# Refer to e.g.
|
||||
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
+# to see how to create encrypted password form for different plaintext password
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
|
||||
+
|
||||
+# Initialize (format) all disks (optional)
|
||||
+zerombr
|
||||
+
|
||||
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
+#
|
||||
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
+# --linux erase all Linux partitions
|
||||
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
+clearpart --linux --initlabel
|
||||
+
|
||||
+# Create primary system partitions (required for installs)
|
||||
+part /boot --fstype=xfs --size=512
|
||||
+part pv.01 --grow --size=1
|
||||
+
|
||||
+# Create a Logical Volume Management (LVM) group (optional)
|
||||
+volgroup VolGroup --pesize=4096 pv.01
|
||||
+
|
||||
+# Create particular logical volumes (optional)
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+# Ensure /home Located On Separate Partition
|
||||
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
+# Ensure /tmp Located On Separate Partition
|
||||
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
+# Ensure /var/tmp Located On Separate Partition
|
||||
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
+# Ensure /var Located On Separate Partition
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+# Ensure /var/log Located On Separate Partition
|
||||
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
+# Ensure /var/log/audit Located On Separate Partition
|
||||
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
+logvol swap --name=swap --vgname=VolGroup --size=2016
|
||||
+
|
||||
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||
+# content - security policies - on the installed system.This add-on has been enabled by default
|
||||
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
|
||||
+# functionality will automatically be installed. However, by default, no policies are enforced,
|
||||
+# meaning that no checks are performed during or after installation unless specifically configured.
|
||||
+#
|
||||
+# Important
|
||||
+# Applying a security policy is not necessary on all systems. This screen should only be used
|
||||
+# when a specific policy is mandated by your organization rules or government regulations.
|
||||
+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
|
||||
+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
|
||||
+# Values can be optionally enclosed in single quotes (') or double quotes (").
|
||||
+#
|
||||
+# The following keys are recognized by the add-on:
|
||||
+# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
|
||||
+# - If the content-type is scap-security-guide, the add-on will use content provided by the
|
||||
+# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
|
||||
+# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
|
||||
+# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
|
||||
+# xccdf-id - ID of the benchmark you want to use.
|
||||
+# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
|
||||
+# profile - ID of the profile to be applied. Use default to apply the default profile.
|
||||
+# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
|
||||
+# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
|
||||
+#
|
||||
+# The following is an example %addon org_fedora_oscap section which uses content from the
|
||||
+# scap-security-guide on the installation media:
|
||||
+%addon org_fedora_oscap
|
||||
+ content-type = scap-security-guide
|
||||
+ profile = xccdf_org.ssgproject.content_profile_cui
|
||||
+%end
|
||||
+
|
||||
+# Packages selection (%packages section is required)
|
||||
+%packages
|
||||
+
|
||||
+# Require @Base
|
||||
+@Base
|
||||
+
|
||||
+%end # End of %packages section
|
||||
+
|
||||
+# Reboot after the installation is complete (optional)
|
||||
+# --eject attempt to eject CD or DVD media before rebooting
|
||||
+reboot --eject
|
@ -1,92 +0,0 @@
|
||||
From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 21 Sep 2020 10:26:53 +0200
|
||||
Subject: [PATCH] Remove zIPL rule for PTI bootloader option
|
||||
|
||||
This setting is to mitigate a problem specific for intel archs.
|
||||
Also returns the CCE to the pool.
|
||||
---
|
||||
.../zipl_pti_argument/rule.yml | 38 -------------------
|
||||
rhel8/profiles/ospp.profile | 1 -
|
||||
rhel8/profiles/stig.profile | 1 -
|
||||
.../data/profile_stability/rhel8/ospp.profile | 1 -
|
||||
4 files changed, 41 deletions(-)
|
||||
delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
deleted file mode 100644
|
||||
index 96170e6d85..0000000000
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
||||
+++ /dev/null
|
||||
@@ -1,38 +0,0 @@
|
||||
-documentation_complete: true
|
||||
-
|
||||
-prodtype: rhel8
|
||||
-
|
||||
-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
|
||||
-
|
||||
-description: |-
|
||||
- To enable Kernel page-table isolation,
|
||||
- check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
||||
- included in its options.<br />
|
||||
- To ensure that new kernels and boot entries continue to enable page-table isolation,
|
||||
- add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
|
||||
-
|
||||
-rationale: |-
|
||||
- Kernel page-table isolation is a kernel feature that mitigates
|
||||
- the Meltdown security vulnerability and hardens the kernel
|
||||
- against attempts to bypass kernel address space layout
|
||||
- randomization (KASLR).
|
||||
-
|
||||
-severity: medium
|
||||
-
|
||||
-identifiers:
|
||||
- cce@rhel8: 83361-6
|
||||
-
|
||||
-ocil_clause: 'Kernel page-table isolation is not enabled'
|
||||
-
|
||||
-ocil: |-
|
||||
- To check that page-table isolation is enabled at boot time, check all boot entries with following command:
|
||||
- <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
|
||||
- No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
||||
-
|
||||
-platform: machine
|
||||
-
|
||||
-template:
|
||||
- name: zipl_bls_entries_option
|
||||
- vars:
|
||||
- arg_name: pti
|
||||
- arg_value: 'on'
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index 5e81e4a92a..46f00c89f1 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -426,4 +426,3 @@ selections:
|
||||
- zipl_vsyscall_argument
|
||||
- zipl_vsyscall_argument.role=unscored
|
||||
- zipl_vsyscall_argument.severity=info
|
||||
- - zipl_pti_argument
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 53647475aa..817d5dbadd 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -52,7 +52,6 @@ selections:
|
||||
- "!zipl_audit_argument"
|
||||
- "!zipl_audit_backlog_limit_argument"
|
||||
- "!zipl_page_poison_argument"
|
||||
- - "!zipl_pti_argument"
|
||||
- "!zipl_slub_debug_argument"
|
||||
- "!zipl_vsyscall_argument"
|
||||
- "!zipl_vsyscall_argument.role=unscored"
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 7b7307cba8..223b1423cd 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -219,7 +219,6 @@ selections:
|
||||
- zipl_bls_entries_only
|
||||
- zipl_bootmap_is_up_to_date
|
||||
- zipl_page_poison_argument
|
||||
-- zipl_pti_argument
|
||||
- zipl_slub_debug_argument
|
||||
- zipl_vsyscall_argument
|
||||
- var_sshd_set_keepalive=0
|
@ -1,49 +0,0 @@
|
||||
From 08d5fb8355020856282eecfcdd09e96d9850cd62 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 9 Oct 2020 09:30:35 +0200
|
||||
Subject: [PATCH] Do not platform wrap empty Bash remediation
|
||||
|
||||
The fix text for a rule can end up empty if a Jinja macro or conditional
|
||||
doesn't render any text.
|
||||
In these cases, avoid wrapping empty lines in an if-else, as this causes
|
||||
syntax error.
|
||||
---
|
||||
ssg/build_remediations.py | 15 +++++++++------
|
||||
1 file changed, 9 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
|
||||
index f269d4d2d6..572db61701 100644
|
||||
--- a/ssg/build_remediations.py
|
||||
+++ b/ssg/build_remediations.py
|
||||
@@ -273,6 +273,13 @@ def parse_from_file_with_jinja(self, env_yaml):
|
||||
self.local_env_yaml.update(env_yaml)
|
||||
result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
|
||||
|
||||
+ # Avoid platform wrapping empty fix text
|
||||
+ # Remediations can be empty when a Jinja macro or conditional
|
||||
+ # renders no fix text for a product
|
||||
+ stripped_fix_text = result.contents.strip()
|
||||
+ if stripped_fix_text == "":
|
||||
+ return result
|
||||
+
|
||||
rule_platforms = set()
|
||||
if self.associated_rule:
|
||||
# There can be repeated inherited platforms and rule platforms
|
||||
@@ -301,15 +308,11 @@ def parse_from_file_with_jinja(self, env_yaml):
|
||||
|
||||
all_conditions = " && ".join(platform_conditionals)
|
||||
wrapped_fix_text.append("if {0}; then".format(all_conditions))
|
||||
-
|
||||
- # Avoid adding extra blank line
|
||||
- if not result.contents.startswith("\n"):
|
||||
- wrapped_fix_text.append("")
|
||||
-
|
||||
+ wrapped_fix_text.append("")
|
||||
# It is possible to indent the original body of the remediation with textwrap.indent(),
|
||||
# however, it is not supported by python2, and there is a risk of breaking remediations
|
||||
# For example, remediations with a here-doc block could be affected.
|
||||
- wrapped_fix_text.append("{0}".format(result.contents))
|
||||
+ wrapped_fix_text.append("{0}".format(stripped_fix_text))
|
||||
wrapped_fix_text.append("")
|
||||
wrapped_fix_text.append("else")
|
||||
wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'")
|
@ -1,116 +0,0 @@
|
||||
From cf1d85924b5945506e57f8701be066c83a894378 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 5 Oct 2020 16:40:39 +0200
|
||||
Subject: [PATCH 1/2] Check for grub2-common instead of grub2-pc
|
||||
|
||||
Check for grub2 intallation based on grub2-common.
|
||||
grub2-pc is a x86_64 package, but other arches use grub2 as well.
|
||||
---
|
||||
.../checks/oval/installed_env_has_grub2_package.xml | 12 ++++++------
|
||||
ssg/constants.py | 2 +-
|
||||
2 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
index e83f45bc3b..2a170d668e 100644
|
||||
--- a/shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
@@ -6,31 +6,31 @@
|
||||
<affected family="unix">
|
||||
<platform>multi_platform_all</platform>
|
||||
</affected>
|
||||
- <description>Checks if package grub2-pc is installed.</description>
|
||||
+ <description>Checks if package grub2-common is installed.</description>
|
||||
<reference ref_id="cpe:/a:grub2" source="CPE" />
|
||||
</metadata>
|
||||
<criteria>
|
||||
- <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
|
||||
+ <criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
{{% if pkg_system == "rpm" %}}
|
||||
<linux:rpminfo_test check="all" check_existence="at_least_one_exists"
|
||||
id="test_env_has_grub2_installed" version="1"
|
||||
- comment="system has package grub2-pc installed">
|
||||
+ comment="system has package grub2-common installed">
|
||||
<linux:object object_ref="obj_env_has_grub2_installed" />
|
||||
</linux:rpminfo_test>
|
||||
<linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
|
||||
- <linux:name>grub2-pc</linux:name>
|
||||
+ <linux:name>grub2-common</linux:name>
|
||||
</linux:rpminfo_object>
|
||||
{{% elif pkg_system == "dpkg" %}}
|
||||
<linux:dpkginfo_test check="all" check_existence="all_exist"
|
||||
id="test_env_has_grub2_installed" version="1"
|
||||
- comment="system has package grub2-pc installed">
|
||||
+ comment="system has package grub2-common installed">
|
||||
<linux:object object_ref="obj_env_has_grub2_installed" />
|
||||
</linux:dpkginfo_test>
|
||||
<linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
|
||||
- <linux:name>grub2-pc</linux:name>
|
||||
+ <linux:name>grub2-common</linux:name>
|
||||
</linux:dpkginfo_object>
|
||||
{{% endif %}}
|
||||
|
||||
diff --git a/ssg/constants.py b/ssg/constants.py
|
||||
index b07fe5f0fe..88316374b5 100644
|
||||
--- a/ssg/constants.py
|
||||
+++ b/ssg/constants.py
|
||||
@@ -468,7 +468,7 @@
|
||||
|
||||
# Default platform to package mapping
|
||||
XCCDF_PLATFORM_TO_PACKAGE = {
|
||||
- "grub2": "grub2-pc",
|
||||
+ "grub2": "grub2-common",
|
||||
"login_defs": "login",
|
||||
"sssd": "sssd-common",
|
||||
"zipl": "s390utils-base",
|
||||
|
||||
From fba876cfc7f85f5b9a696d0f5fa1177299b7c6bb Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 5 Oct 2020 16:49:15 +0200
|
||||
Subject: [PATCH 2/2] Handle exception of grub2-coomon in ppc64le
|
||||
|
||||
ppc64le systems can use Grub2 or OPAL and the package set will be the
|
||||
same in both cases.
|
||||
Add a few more checks to make sure ppc64le arch is handled correctly.
|
||||
---
|
||||
.../oval/installed_env_has_grub2_package.xml | 19 ++++++++++++++++++-
|
||||
1 file changed, 18 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
index 2a170d668e..fb2c9cc784 100644
|
||||
--- a/shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
|
||||
@@ -9,8 +9,18 @@
|
||||
<description>Checks if package grub2-common is installed.</description>
|
||||
<reference ref_id="cpe:/a:grub2" source="CPE" />
|
||||
</metadata>
|
||||
- <criteria>
|
||||
+ <criteria operator="AND">
|
||||
<criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
|
||||
+ <criteria operator="OR">
|
||||
+ <!-- On ppc64le systems, OF (Grub2) or OPAL (petitboot) can be used,
|
||||
+ and unfortunately the package set installed is the same in both cases.
|
||||
+ But when OPAL is used, /sys/firmware/opal exists.
|
||||
+ So the system uses grub when: -->
|
||||
+ <!-- grub2-common is installed and arch is not a ppc64le -->
|
||||
+ <criterion comment="Test for ppcle64 architecture" test_ref="test_system_info_architecture_ppcle_64" negate="true" />
|
||||
+ <!-- or when grub2-common is installed, arch is a ppc64le but OPAL is not used -->
|
||||
+ <criterion comment="Test if OPAL is not used" test_ref="test_system_using_opal" negate="true" />
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
@@ -34,4 +44,11 @@
|
||||
</linux:dpkginfo_object>
|
||||
{{% endif %}}
|
||||
|
||||
+ <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firware/opal exists" id="test_system_using_opal" version="1">
|
||||
+ <unix:object object_ref="object_system_using_opal" />
|
||||
+ </unix:file_test>
|
||||
+ <unix:file_object id="object_system_using_opal" version="1">
|
||||
+ <unix:filepath>/sys/firmware/opal</unix:filepath>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
</def-group>
|
@ -1,38 +0,0 @@
|
||||
From 7dfeb5ec0513a58502eb83aa2900e7c5fb0d478e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Sep 2020 11:29:57 +0200
|
||||
Subject: [PATCH] Fix load of product platform mapping
|
||||
|
||||
The product specific mappings were overriding the common mappings,
|
||||
instead of being merged with them.
|
||||
---
|
||||
ssg/yaml.py | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ssg/yaml.py b/ssg/yaml.py
|
||||
index 22cf5bad66..d8856e52c9 100644
|
||||
--- a/ssg/yaml.py
|
||||
+++ b/ssg/yaml.py
|
||||
@@ -13,6 +13,7 @@
|
||||
PKG_MANAGER_TO_CONFIG_FILE,
|
||||
XCCDF_PLATFORM_TO_PACKAGE)
|
||||
from .constants import DEFAULT_UID_MIN
|
||||
+from .utils import merge_dicts
|
||||
|
||||
try:
|
||||
from yaml import CSafeLoader as yaml_SafeLoader
|
||||
@@ -139,10 +140,11 @@ def open_raw(yaml_file):
|
||||
|
||||
def open_environment(build_config_yaml, product_yaml):
|
||||
contents = open_raw(build_config_yaml)
|
||||
- # Load common platform package mappings,
|
||||
- # any specific mapping in product_yaml will override the default
|
||||
- contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
|
||||
contents.update(open_raw(product_yaml))
|
||||
+ platform_package_overrides = contents.get("platform_package_overrides", {})
|
||||
+ # Merge common platform package mappings, while keeping product specific mappings
|
||||
+ contents["platform_package_overrides"] = merge_dicts(XCCDF_PLATFORM_TO_PACKAGE,
|
||||
+ platform_package_overrides)
|
||||
contents.update(_get_implied_properties(contents))
|
||||
return contents
|
||||
|
@ -1,22 +0,0 @@
|
||||
From 570dc073739e9044b54e872c8368125bccadb704 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 29 Sep 2020 15:28:02 +0200
|
||||
Subject: [PATCH] Fix zIPL package mapping
|
||||
|
||||
---
|
||||
ssg/constants.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ssg/constants.py b/ssg/constants.py
|
||||
index 0eca2f4f95..fa6c756ff6 100644
|
||||
--- a/ssg/constants.py
|
||||
+++ b/ssg/constants.py
|
||||
@@ -470,7 +470,7 @@
|
||||
"grub2": "grub2-pc",
|
||||
"login_defs": "login",
|
||||
"sssd": "sssd-common",
|
||||
- "zipl": "s390x-utils",
|
||||
+ "zipl": "s390utils-base",
|
||||
}
|
||||
|
||||
# _version_name_map = {
|
@ -1,16 +0,0 @@
|
||||
From 7a069a2deb4d1ce69b02b7615523424f2ecf281f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 29 Sep 2020 15:04:39 +0200
|
||||
Subject: [PATCH] Move grub2_vsyscall_argument to grub2 group
|
||||
|
||||
This will put the rule under grub2 platform, so the rule is only
|
||||
applicable on a machine system with grub2.
|
||||
---
|
||||
.../grub2_vsyscall_argument/rule.yml | 0
|
||||
1 file changed, 0 insertions(+), 0 deletions(-)
|
||||
rename linux_os/guide/system/{permissions/restrictions => bootloader-grub2}/grub2_vsyscall_argument/rule.yml (100%)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
similarity index 100%
|
||||
rename from linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml
|
||||
rename to linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
File diff suppressed because one or more lines are too long
@ -0,0 +1,137 @@
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
index 7da2e067a6..5d01170aab 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
@@ -33,6 +33,7 @@ references:
|
||||
cis@sle12: 5.2.4
|
||||
cis@sle15: 5.2.6
|
||||
stigid@rhel7: RHEL-07-040710
|
||||
+ stigid@ol7: OL07-00-040710
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
disa: CCI-000366
|
||||
nist: CM-6(b)
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
index 87c3cb7f5a..5683676bfc 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
@@ -23,7 +23,6 @@ identifiers:
|
||||
cce@sle12: CCE-83017-4
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040710
|
||||
cui: 3.1.13
|
||||
disa: CCI-000366
|
||||
nist: CM-6(a),AC-17(a),AC-17(2)
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
index 50c7d689af..42cb32e30e 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019,wrlinux8
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
|
||||
@@ -51,7 +51,6 @@ identifiers:
|
||||
cce@rhel8: CCE-81032-5
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040110
|
||||
cis: 5.2.10
|
||||
cjis: 5.5.6
|
||||
cui: 3.1.13,3.13.11,3.13.8
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
index 0751064179..73de17af35 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel7
|
||||
+prodtype: ol7,rhel7
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
|
||||
@@ -32,6 +32,7 @@ references:
|
||||
disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
|
||||
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
stigid@rhel7: RHEL-07-040110
|
||||
+ stigid@ol7: OL07-00-040110
|
||||
|
||||
ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
index c490756daf..13997f9418 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,rhel7,rhel8,sle12,wrlinux1019
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,sle12,wrlinux1019
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
|
||||
@@ -46,7 +46,6 @@ identifiers:
|
||||
cce@sle12: CCE-83036-4
|
||||
|
||||
references:
|
||||
- stigid@ol7: OL07-00-040400
|
||||
cis: 5.2.12
|
||||
cui: 3.1.13,3.13.11,3.13.8
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
index 88d2d77e14..bd597f0860 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel7
|
||||
+prodtype: ol7,rhel7
|
||||
|
||||
title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
|
||||
@@ -25,6 +25,7 @@ references:
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
stigid@rhel7: RHEL-07-040400
|
||||
+ stigid@ol7: OL07-00-040400
|
||||
|
||||
ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
index 7267d2443a..b0fe065d86 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -26,6 +26,7 @@ identifiers:
|
||||
references:
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stig@rhel7: RHEL-07-040711
|
||||
+ stig@ol7: OL07-00-040711
|
||||
disa: CCI-000366
|
||||
nist: CM-6(b)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
index 820a942220..dfcbbafd17 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
@@ -36,4 +36,4 @@ ocil_clause: 'the group ownership is incorrect'
|
||||
ocil: |-
|
||||
To verify the assigned home directory of all interactive users is group-
|
||||
owned by that users primary GID, run the following command:
|
||||
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
|
||||
+ <pre># ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
index 7d5778d4f6..37cb36cda3 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
@@ -30,4 +30,4 @@ ocil_clause: 'the user ownership is incorrect'
|
||||
|
||||
ocil: |-
|
||||
To verify the home directory ownership, run the following command:
|
||||
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
|
||||
+ <pre># ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
|
||||
|
@ -0,0 +1,34 @@
|
||||
From cb299dd0ce870d55cb530bc5e5ad9a9f52734bf4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 09:42:26 +0100
|
||||
Subject: [PATCH] Add metadata to ANSSI R35
|
||||
|
||||
Current implementation cannot diferentiate between system and
|
||||
standard user umask, they are both set to the same value.
|
||||
---
|
||||
controls/anssi.yml | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..621996e985 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -572,10 +572,18 @@ controls:
|
||||
only be read by the user and his group, and be editable only by his owner).
|
||||
The umask for users must be set to 0077 (any file created by a user is
|
||||
readable and editable only by him).
|
||||
+ notes: >-
|
||||
+ There is no simple way to check and remediate different umask values for
|
||||
+ system and standard users reliably.
|
||||
+ The different values are set in a conditional clause in a shell script
|
||||
+ (e.g. /etc/profile or /etc/bashrc).
|
||||
+ The current implementation checks and fixes both umask to the same value.
|
||||
+ automated: partially
|
||||
rules:
|
||||
- var_accounts_user_umask=077
|
||||
- accounts_umask_etc_login_defs
|
||||
- accounts_umask_etc_profile
|
||||
+ - accounts_umask_etc_bashrc
|
||||
|
||||
- id: R36
|
||||
title: Rights to access sensitive content files
|
@ -0,0 +1,94 @@
|
||||
From d5673795ba2f87ae1649c84591ee13d7876af0b2 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 14:01:03 +0100
|
||||
Subject: [PATCH 1/3] add rule
|
||||
|
||||
---
|
||||
.../sysctl_kernel_modules_disabled/rule.yml | 34 +++++++++++++++++++
|
||||
1 file changed, 34 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..1811c43815
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -0,0 +1,34 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,ol8,rhel7,rhel8
|
||||
+
|
||||
+title: 'Disable loading and unloading of kernel modules'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ Malicious kernel modules can have a significant impact on system security and
|
||||
+ availability. Disabling loading of kernel modules prevents this threat. Note
|
||||
+ that once this option has been set, it cannot be reverted without doing a
|
||||
+ system reboot. Make sure that all needed kernel modules are loaded before
|
||||
+ setting this option.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83392-1
|
||||
+ cce@rhel8: CCE-83397-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R24)
|
||||
+
|
||||
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: kernel.modules_disabled
|
||||
+ sysctlval: '1'
|
||||
+ datatype: int
|
||||
|
||||
From 5e4f6a4a0b70c07488595080cfd98fdbfb02e352 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 14:01:15 +0100
|
||||
Subject: [PATCH 2/3] add rule to anssi profile
|
||||
|
||||
---
|
||||
controls/anssi.yml | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 9e2b899b6d..f435459af3 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -483,7 +483,8 @@ controls:
|
||||
sysctl kernel.modules_disabledconf:
|
||||
Prohibition of loading modules (except those already loaded to this point)
|
||||
kernel.modules_disabled = 1
|
||||
- # rules: TBD
|
||||
+ rules:
|
||||
+ - sysctl_kernel_modules_disabled
|
||||
|
||||
- id: R25
|
||||
level: enhanced
|
||||
|
||||
From a4a91fbb7f23854e4f80819a023c1adc4e7110c5 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 14 Jan 2021 09:30:01 +0100
|
||||
Subject: [PATCH 3/3] remove cces from pool
|
||||
|
||||
---
|
||||
shared/references/cce-redhat-avail.txt | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 4dbec8255c..137d975a3d 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -1,5 +1,3 @@
|
||||
-CCE-83392-1
|
||||
-CCE-83397-0
|
||||
CCE-83398-8
|
||||
CCE-83399-6
|
||||
CCE-83404-4
|
@ -0,0 +1,117 @@
|
||||
From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 19 Oct 2020 17:25:05 +0200
|
||||
Subject: [PATCH 1/2] var pam unix remember, add selector
|
||||
|
||||
Add selector "2" to var_password_pam_unix_remember.
|
||||
---
|
||||
.../accounts/accounts-pam/var_password_pam_unix_remember.var | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
index f533a36963..6e7abb3b78 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
|
||||
@@ -18,6 +18,7 @@ options:
|
||||
"0": "0"
|
||||
10: 10
|
||||
24: 24
|
||||
+ 2: 2
|
||||
4: 4
|
||||
5: 5
|
||||
default: 5
|
||||
|
||||
From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 19 Oct 2020 17:29:47 +0200
|
||||
Subject: [PATCH 2/2] Select rules for password strenght management
|
||||
|
||||
Rule selection is based on ANSSI DAT-NT-001
|
||||
---
|
||||
controls/anssi.yml | 45 ++++++++++++++++++-
|
||||
.../var_password_pam_minlen.var | 2 +
|
||||
...ar_accounts_password_minlen_login_defs.var | 2 +
|
||||
3 files changed, 48 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 26bc7f4694..3ccd0f8cb3 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -281,7 +281,50 @@ controls:
|
||||
- id: R18
|
||||
level: minimal
|
||||
title: Administrator password robustness
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ The rules selected below establish a general password strength baseline of 100 bits,
|
||||
+ inspired by DAT-NT-001 and the "Password Strenght Calculator"
|
||||
+ (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
|
||||
+
|
||||
+ The baseline should be reviewed and tailored to the system's use case and needs.
|
||||
+ automated: partially
|
||||
+ rules:
|
||||
+ # Renew passwords every 90 days
|
||||
+ - var_accounts_maximum_age_login_defs=90
|
||||
+ - accounts_maximum_age_login_defs
|
||||
+
|
||||
+ # Ensure passwords with minimum of 18 characters
|
||||
+ - var_password_pam_minlen=18
|
||||
+ - accounts_password_pam_minlen
|
||||
+ # Enforce password lenght for new accounts
|
||||
+ - var_accounts_password_minlen_login_defs=18
|
||||
+ - accounts_password_minlen_login_defs
|
||||
+ # Require at Least 1 Special Character in Password
|
||||
+ - var_password_pam_ocredit=1
|
||||
+ - accounts_password_pam_ocredit
|
||||
+ # Require at Least 1 Numeric Character in Password
|
||||
+ - var_password_pam_dcredit=1
|
||||
+ - accounts_password_pam_dcredit
|
||||
+ # Require at Least 1 Uppercase Character in Password
|
||||
+ - var_password_pam_ucredit=1
|
||||
+ - accounts_password_pam_ucredit
|
||||
+ # Require at Least 1 Lowercase Character in Password
|
||||
+ - var_password_pam_lcredit=1
|
||||
+ - accounts_password_pam_lcredit
|
||||
+
|
||||
+ # Lock out users after 3 failed authentication attempts within 15 min
|
||||
+ - var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
+ - accounts_passwords_pam_faillock_interval
|
||||
+ - var_accounts_passwords_pam_faillock_deny=3
|
||||
+ - accounts_passwords_pam_faillock_deny
|
||||
+ - accounts_passwords_pam_faillock_deny_root
|
||||
+ # Automatically unlock users after 15 min to prevent DoS
|
||||
+ - var_accounts_passwords_pam_faillock_unlock_time=900
|
||||
+ - accounts_passwords_pam_faillock_unlock_time
|
||||
+
|
||||
+ # Do not reuse last two passwords
|
||||
+ - var_password_pam_unix_remember=2
|
||||
+ - accounts_password_pam_unix_remember
|
||||
|
||||
- id: R19
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
index f506a090bb..873d907ab9 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
|
||||
@@ -15,6 +15,8 @@ options:
|
||||
12: 12
|
||||
14: 14
|
||||
15: 15
|
||||
+ 18: 18
|
||||
+ 20: 20
|
||||
6: 6
|
||||
7: 7
|
||||
8: 8
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
index f41ff432ec..662c53b076 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
|
||||
@@ -13,6 +13,8 @@ options:
|
||||
12: 12
|
||||
14: 14
|
||||
15: 15
|
||||
+ 18: 18
|
||||
+ 20: 20
|
||||
6: 6
|
||||
8: 8
|
||||
default: 15
|
@ -0,0 +1,47 @@
|
||||
From 76aede9cea67f4ea37eaa05ad74bf80273638de2 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 28 Oct 2020 18:52:13 +0100
|
||||
Subject: [PATCH] Select rules for ANSSI R37
|
||||
|
||||
These rules are better fit for R37 than R38.
|
||||
R37 is about binaries designed to be used with setuid or setgid bits.
|
||||
R38 is about reducing number of binaries with setuid root.
|
||||
---
|
||||
controls/anssi.yml | 17 ++++++++++++-----
|
||||
1 file changed, 12 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 26bc7f4694..4648b98dff 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -590,8 +590,17 @@ controls:
|
||||
|
||||
- id: R37
|
||||
level: minimal
|
||||
- title: Executables with setuid and/or setgid bits
|
||||
- # rules: TBD
|
||||
+ title: Executables with setuid and setgid bits
|
||||
+ notes: >-
|
||||
+ Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set.
|
||||
+ This requirement considers apropriate for setuid and setgid bits the binaries that are installed from
|
||||
+ recognized and authorized repositories (covered in R15).
|
||||
+ The remediation resets the sticky bit to intended value by vendor/developer, any finding after remediation
|
||||
+ should be reviewed.
|
||||
+ automated: yes
|
||||
+ rules:
|
||||
+ - file_permissions_unauthorized_suid
|
||||
+ - file_permissions_unauthorized_sgid
|
||||
|
||||
- id: R38
|
||||
level: enhanced
|
||||
@@ -600,9 +609,7 @@ controls:
|
||||
Setuid executables should be as small as possible. When it is expected
|
||||
that only the administrators of the machine execute them, the setuid bit
|
||||
must be removed and prefer them commands like su or sudo, which can be monitored
|
||||
- rules:
|
||||
- - file_permissions_unauthorized_suid
|
||||
- - file_permissions_unauthorized_sgid
|
||||
+ # rules: TBD
|
||||
|
||||
- id: R39
|
||||
level: intermediary
|
@ -0,0 +1,37 @@
|
||||
From 4d67a36c0a07ef8e07b8760b0e883bd42c0177ec Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:04:05 +0100
|
||||
Subject: [PATCH] Add variable selector and notes for R29
|
||||
|
||||
---
|
||||
controls/anssi.yml | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..3303d70295 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -521,10 +521,22 @@ controls:
|
||||
description: >-
|
||||
Remote user sessions (shell access, graphical clients) must be closed
|
||||
after a certain period of inactivity.
|
||||
+ notes: >-
|
||||
+ There is no specific capability to check remote user inactivity, but some shells allow the
|
||||
+ session inactivity time out to be configured via TMOUT variable.
|
||||
+ In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
|
||||
+ The server is configured to disconnect sessions if no data has been received within the idle timeout,
|
||||
+ regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
|
||||
+ In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
|
||||
+ The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
|
||||
+ "don't disconnect network inactive sessions". The server either probes for the client liveness
|
||||
+ or keeps inactive sessions connected.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- accounts_tmout
|
||||
+ - var_accounts_tmout=10_min
|
||||
- sshd_set_idle_timeout
|
||||
- - sshd_idle_timeout_value=5_minutes
|
||||
+ - sshd_idle_timeout_value=10_minutes
|
||||
- sshd_set_keepalive
|
||||
|
||||
- id: R30
|
@ -0,0 +1,106 @@
|
||||
From 389d25be2b69e4e5c828d9b0b72573e0962cabb4 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 17:07:48 +0100
|
||||
Subject: [PATCH 1/4] add rule
|
||||
|
||||
---
|
||||
.../sshd_x11_use_localhost/rule.yml | 43 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 3 --
|
||||
2 files changed, 43 insertions(+), 3 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..67131e509c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -0,0 +1,43 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,ol7,rhel7
|
||||
+
|
||||
+title: 'Prevent remote hosts from connecting to the proxy display'
|
||||
+
|
||||
+description: |-
|
||||
+ The SSH daemon should prevent remote hosts from connecting to the proxy
|
||||
+ display. Make sure that the option <tt>X11UseLocalhost</tt> is set to
|
||||
+ <tt>yes</tt> within the SSH server configuration file.
|
||||
+
|
||||
+
|
||||
+rationale: |-
|
||||
+ When X11 forwarding is enabled, there may be additional exposure to the
|
||||
+ server and client displays if the sshd proxy display is configured to listen
|
||||
+ on the wildcard address. By default, sshd binds the forwarding server to the
|
||||
+ loopback address and sets the hostname part of the <tt>DISPLAY</tt>
|
||||
+ environment variable to localhost. This prevents remote hosts from
|
||||
+ connecting to the proxy display.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83404-4
|
||||
+
|
||||
+references:
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ stig@rhel7: RHEL-07-040711
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
+
|
||||
+ocil_clause: "the display proxy is listening on wildcard address"
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_sshd_option(default="yes", option="X11UseLocalhost", value="yes") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: sshd_lineinfile
|
||||
+ vars:
|
||||
+ missing_parameter_pass: 'false'
|
||||
+ parameter: X11UseLocalhost
|
||||
+ rule_id: sshd_x11_use_localhost
|
||||
+ value: 'yes'
|
||||
From a40b9e68305afb52c2c674848b71cbcaee25fe32 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 17:08:08 +0100
|
||||
Subject: [PATCH 2/4] add rule to the stig profile
|
||||
|
||||
---
|
||||
rhel7/profiles/stig.profile | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 88b50d5ef4..817e0982e5 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -286,6 +286,7 @@ selections:
|
||||
- package_vsftpd_removed
|
||||
- package_tftp-server_removed
|
||||
- sshd_enable_x11_forwarding
|
||||
+ - sshd_x11_use_localhost
|
||||
- tftpd_uses_secure_mode
|
||||
- package_xorg-x11-server-common_removed
|
||||
- xwindows_runlevel_target
|
||||
|
||||
From be2f96b80fbfb74708381e15a2a6e76c3952bbb5 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Fri, 15 Jan 2021 07:46:09 +0100
|
||||
Subject: [PATCH 4/4] Update
|
||||
linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
|
||||
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
|
||||
---
|
||||
.../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
index 67131e509c..7267d2443a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
|
||||
@@ -37,7 +37,7 @@ ocil: |-
|
||||
template:
|
||||
name: sshd_lineinfile
|
||||
vars:
|
||||
- missing_parameter_pass: 'false'
|
||||
+ missing_parameter_pass: 'true'
|
||||
parameter: X11UseLocalhost
|
||||
rule_id: sshd_x11_use_localhost
|
||||
value: 'yes'
|
@ -0,0 +1,196 @@
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 851993512..515a4a172 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -850,7 +850,8 @@ controls:
|
||||
- id: R63
|
||||
level: intermediary
|
||||
title: Explicit arguments in sudo specifications
|
||||
- # rules: TBD
|
||||
+ rules:
|
||||
+ - sudoers_explicit_command_args
|
||||
|
||||
- id: R64
|
||||
level: intermediary
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 000000000..94a0cb421
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
|
||||
@@ -0,0 +1,25 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("Check that sudoers doesn't contain commands without arguments specified") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Make sure that no commands are without arguments" test_ref="test_{{{ rule_id }}}" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="Make sure that no command in user spec is without any argument"
|
||||
+ id="test_{{{ rule_id }}}" version="1">
|
||||
+ <ind:object object_ref="object_{{{ rule_id }}}" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_{{{ rule_id }}}" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
+ <!-- The regex idea: <user list> <host list> = (<the whole command with at least an arg>,)* <command with no arg> <end of the line or next command spec we don't care about>
|
||||
+ where a command is <runas spec>?<anything except ,>+,
|
||||
+ - ',' is a command delimiter, while
|
||||
+ The last capturing group holds the offending command without args.
|
||||
+ -->
|
||||
+ <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||||
new file mode 100644
|
||||
index 000000000..a0590c8b0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
||||
@@ -0,0 +1,46 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: "Explicit arguments in sudo specifications"
|
||||
+
|
||||
+description: |-
|
||||
+ All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
|
||||
+ If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Any argument can modify quite significantly the behavior of a program, whether regarding the
|
||||
+ realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
|
||||
+ avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
|
||||
+ level of its specification.
|
||||
+
|
||||
+ For example, on some systems, the kernel messages are only accessible by root.
|
||||
+ If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
|
||||
+ in order to prevent the user from flushing the buffer through the -c option:
|
||||
+ <pre>
|
||||
+ user ALL = dmesg ""
|
||||
+ </pre>
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83631-2
|
||||
+ cce@rhel8: CCE-83632-0
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R63)
|
||||
+
|
||||
+ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine if arguments that commands can be executed with are restricted, run the following command:
|
||||
+ <pre>$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ The command should return no output.
|
||||
+
|
||||
+platform: sudo
|
||||
+
|
||||
+warnings:
|
||||
+ - general:
|
||||
+ This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.
|
||||
+
|
||||
+ - general:
|
||||
+ The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that.
|
||||
+ For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
|
||||
new file mode 100644
|
||||
index 000000000..b0d05b2a5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo '#jen,!fred ALL, !SERVERS = !/bin/sh' > /etc/sudoers
|
||||
+echo '# somebody ALL=/bin/ls, (!bob,alice) !/bin/cat, /bin/dog' > /etc/sudoers.d/foo
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..c6f885f9f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'somebody ALL=/bin/ls, (!bob,alice) /bin/cat arg, /bin/dog' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..fce851f55
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog, /bin/cat arg' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..baf66468d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# remediation = none
|
||||
+# packages = sudo
|
||||
+
|
||||
+# The val1\,val2 is the first argument of the /bin/dog command that contains a comma.
|
||||
+# Our check tends to interpret the comma as commad delimiter, so the dog arg is val1\
|
||||
+# and val2 is another command in the user spec.
|
||||
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog val1\,val2, /bin/cat ""' > /etc/sudoers
|
||||
+
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..9a04a205a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'jen,!fred ALL,SERVERS = /bin/sh ' > /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
|
||||
new file mode 100644
|
||||
index 000000000..4a3a7c94b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
|
||||
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
|
||||
+echo 'nobody ALL=/bin/ls arg arg, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
|
||||
new file mode 100644
|
||||
index 000000000..9643a3337
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# packages = sudo
|
||||
+# remediation = none
|
||||
+
|
||||
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
|
||||
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
|
||||
+echo 'nobody ALL=/bin/ls, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
|
||||
+
|
||||
+echo 'user ALL = ALL' > /etc/sudoers.d/bar
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 4dbec8255..94a116b59 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -140,8 +140,6 @@ CCE-83626-2
|
||||
CCE-83627-0
|
||||
CCE-83628-8
|
||||
CCE-83629-6
|
||||
-CCE-83631-2
|
||||
-CCE-83632-0
|
||||
CCE-83633-8
|
||||
CCE-83634-6
|
||||
CCE-83635-3
|
@ -0,0 +1,213 @@
|
||||
From afa3b348ed0af551967870f48334afbabecb89ab Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Thu, 4 Feb 2021 09:43:51 +0100
|
||||
Subject: [PATCH] Extend /var partition to 3GB in rhel8 kickstarts
|
||||
|
||||
---
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-cis-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 4 ++--
|
||||
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 4 ++--
|
||||
9 files changed, 18 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 52af3ef47e..4e249f61e2 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index 702f23d4dc..a1511b157a 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index b875692944..981d291847 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
index 4a114aebb6..7fc4945518 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
# Ensure /usr Located On Separate Partition
|
||||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
# Ensure /opt Located On Separate Partition
|
||||
@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
index bf3804b3fa..ee3a20bcc2 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
|
||||
@@ -109,7 +109,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -117,7 +117,7 @@ logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptio
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048
|
||||
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
index 6e0f83ebb7..8e4b92584f 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
index 119e98364f..ec490c38ee 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
index 21a50f52fd..386cbcc169 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
|
||||
@@ -103,13 +103,13 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow
|
||||
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
||||
# CCE-26557-9: Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# CCE-26435-8: Ensure /tmp Located On Separate Partition
|
||||
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
||||
# CCE-26639-5: Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# CCE-26215-4: Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
index a3e5e5fec1..28f7ff0927 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
|
||||
volgroup VolGroup --pesize=4096 pv.01
|
||||
|
||||
# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
|
||||
# Ensure /home Located On Separate Partition
|
||||
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
# Ensure /tmp Located On Separate Partition
|
||||
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
|
||||
# Ensure /var/tmp Located On Separate Partition
|
||||
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
# Ensure /var/log Located On Separate Partition
|
||||
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
# Ensure /var/log/audit Located On Separate Partition
|
@ -0,0 +1,426 @@
|
||||
From fad3761eff3a3857bb4201ac90642dfc37217a2a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:41:26 +0100
|
||||
Subject: [PATCH 1/4] Remove extra configurations from ANSSI minimal ks
|
||||
|
||||
- No need to restrict IPv6
|
||||
- Root login is not restricted
|
||||
- Simplify boot command
|
||||
- Simplify paritioning
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_minimal-ks.cfg | 46 ++--------------
|
||||
.../ssg-rhel8-anssi_bp28_minimal-ks.cfg | 53 +------------------
|
||||
2 files changed, 5 insertions(+), 94 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
index 4160ac094c..9bc4eae44f 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
|
||||
@@ -54,7 +54,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
+network --onboot yes --device eth0 --bootproto dhcp
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -62,26 +62,12 @@ network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||
# encrypted password form for different plaintext password
|
||||
rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
|
||||
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
# Set up the authentication options for the system (required)
|
||||
# --enableshadow enable shadowed passwords by default
|
||||
# --passalgo hash / crypt algorithm for new passwords
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +75,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
@@ -103,33 +89,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
|
||||
-logvol swap --name=lv_swap --vgname=VolGroup --size=2016
|
||||
+autopart
|
||||
|
||||
# Despite the ID referencing NT-28, the profile is aligned to BP-028
|
||||
%addon org_fedora_oscap
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
index 7fc4945518..1d62b55d55 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -61,26 +58,6 @@ network --onboot yes --bootproto dhcp
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||
|
||||
-# The selected profile will restrict root login
|
||||
-# Add a user that can login and escalate privileges
|
||||
-# Plaintext password is: admin123
|
||||
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
-
|
||||
-# Configure firewall settings for the system (optional)
|
||||
-# --enabled reject incoming connections that are not in response to outbound requests
|
||||
-# --ssh allow sshd service through the firewall
|
||||
-firewall --enabled --ssh
|
||||
-
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +66,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
@@ -103,33 +80,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
-part pv.01 --grow --size=1
|
||||
-
|
||||
-# Create a Logical Volume Management (LVM) group (optional)
|
||||
-volgroup VolGroup --pesize=4096 pv.01
|
||||
-
|
||||
-# Create particular logical volumes (optional)
|
||||
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
|
||||
-# Ensure /usr Located On Separate Partition
|
||||
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
|
||||
-# Ensure /opt Located On Separate Partition
|
||||
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /srv Located On Separate Partition
|
||||
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
|
||||
-# Ensure /home Located On Separate Partition
|
||||
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
-# Ensure /tmp Located On Separate Partition
|
||||
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/tmp Located On Separate Partition
|
||||
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var Located On Separate Partition
|
||||
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
|
||||
-# Ensure /var/log Located On Separate Partition
|
||||
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
-# Ensure /var/log/audit Located On Separate Partition
|
||||
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
-logvol swap --name=swap --vgname=VolGroup --size=2016
|
||||
+autopart
|
||||
|
||||
# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||
# content - security policies - on the installed system.This add-on has been enabled by default
|
||||
|
||||
From 3884ae59b59d69c928acb1d3d52a3f68834aa709 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:53:20 +0100
|
||||
Subject: [PATCH 2/4] Align ANSSI kickstarts with intermediary level
|
||||
|
||||
- Simplify boot command
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 6 +-----
|
||||
.../ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 17 ++---------------
|
||||
2 files changed, 3 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
index ab654410b5..20c4c59a78 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
@@ -78,10 +78,6 @@ firewall --enabled --ssh
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +85,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index 981d291847..3a241b06f4 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +76,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
|
||||
From 745ec9b02bb45ca89d2705e79b36b17060508765 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 14:03:09 +0100
|
||||
Subject: [PATCH 3/4] Align ANSSI kickstarts with enhanced level
|
||||
|
||||
- Keep restricting IPv6
|
||||
- Audit enabled during boot
|
||||
- No requirement to enforce use of SELinux
|
||||
---
|
||||
.../ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 6 +-----
|
||||
.../ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 17 ++---------------
|
||||
2 files changed, 3 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
index 2e75873a28..1d35bedb91 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
@@ -78,10 +78,6 @@ firewall --enabled --ssh
|
||||
# See the manual page for authconfig for a complete list of possible options.
|
||||
authconfig --enableshadow --passalgo=sha512
|
||||
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +85,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 4e249f61e2..728946ecb7 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
-# State of SELinux on the installed system (optional)
|
||||
-# Defaults to enforcing
|
||||
-selinux --enforcing
|
||||
-
|
||||
# Set the system time zone (required)
|
||||
timezone --utc America/New_York
|
||||
|
||||
@@ -89,7 +76,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
|
||||
From 6804cdfbdea9992daf48fe545d8005be9f37bc56 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 14:08:15 +0100
|
||||
Subject: [PATCH 4/4] Align ANSSI Kickstarts with high level
|
||||
|
||||
---
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 13 ++-----------
|
||||
2 files changed, 3 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
index 745dcbd058..73225c2fab 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
@@ -89,7 +89,7 @@ timezone --utc America/New_York
|
||||
# Plaintext password is: password
|
||||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
||||
# encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index a1511b157a..cd0eff2625 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -6,9 +6,6 @@
|
||||
# https://pykickstart.readthedocs.io/en/latest/
|
||||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
|
||||
-# Install a fresh new system (optional)
|
||||
-install
|
||||
-
|
||||
# Specify installation method to use for installation
|
||||
# To use a different one comment out the 'url' one below, update
|
||||
# the selected choice with proper options & un-comment it
|
||||
@@ -52,7 +49,7 @@ keyboard us
|
||||
# "--bootproto=static" must be used. For example:
|
||||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
#
|
||||
-network --onboot yes --bootproto dhcp
|
||||
+network --onboot yes --bootproto dhcp --noipv6
|
||||
|
||||
# Set the system's root password (required)
|
||||
# Plaintext password is: server
|
||||
@@ -71,12 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||
# --ssh allow sshd service through the firewall
|
||||
firewall --enabled --ssh
|
||||
|
||||
-# Set up the authentication options for the system (required)
|
||||
-# --enableshadow enable shadowed passwords by default
|
||||
-# --passalgo hash / crypt algorithm for new passwords
|
||||
-# See the manual page for authconfig for a complete list of possible options.
|
||||
-authconfig --enableshadow --passalgo=sha512
|
||||
-
|
||||
# State of SELinux on the installed system (optional)
|
||||
# Defaults to enforcing
|
||||
selinux --enforcing
|
||||
@@ -89,7 +80,7 @@ timezone --utc America/New_York
|
||||
# Refer to e.g.
|
||||
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
# to see how to create encrypted password form for different plaintext password
|
||||
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
||||
|
||||
# Initialize (format) all disks (optional)
|
||||
zerombr
|
@ -0,0 +1,57 @@
|
||||
From 01b1ade0e5713bf3f11f78cc0ca7e43f74eb8a46 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 01:02:48 +0100
|
||||
Subject: [PATCH 1/2] Drop remediation for sysctl_kernel_modules_disabled
|
||||
|
||||
Remediating this during kickstart install time renders the machine
|
||||
unbootable.
|
||||
---
|
||||
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
index 1811c43815..34e8290f74 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -32,3 +32,6 @@ template:
|
||||
sysctlvar: kernel.modules_disabled
|
||||
sysctlval: '1'
|
||||
datatype: int
|
||||
+ backends:
|
||||
+ # Automated remediation of this rule disrupts installs via kickstart
|
||||
+ bash: 'off'
|
||||
|
||||
From 77eeafd1af1445a185651c77b143bce0004badda Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Feb 2021 09:23:17 +0100
|
||||
Subject: [PATCH 2/2] Add warning why rule has no remediation
|
||||
|
||||
Rule sysctl_kernel_modules_disabled disrupts the install and boot
|
||||
process if remediated during installation.
|
||||
---
|
||||
.../restrictions/sysctl_kernel_modules_disabled/rule.yml | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
index 34e8290f74..438cd2759e 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
||||
@@ -26,6 +26,11 @@ references:
|
||||
|
||||
platform: machine
|
||||
|
||||
+warnings:
|
||||
+ - general:
|
||||
+ This rule doesn't come with Bash remediation.
|
||||
+ Remediating this rule during the installation process disrupts the install and boot process.
|
||||
+
|
||||
template:
|
||||
name: sysctl
|
||||
vars:
|
||||
@@ -33,5 +38,5 @@ template:
|
||||
sysctlval: '1'
|
||||
datatype: int
|
||||
backends:
|
||||
- # Automated remediation of this rule disrupts installs via kickstart
|
||||
+ # Automated remediation of this rule during installations disrupts the first boot
|
||||
bash: 'off'
|
@ -0,0 +1,62 @@
|
||||
From eea787e1453b19aa949903c39189479538fbbab9 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 12 Feb 2021 10:36:10 +0100
|
||||
Subject: [PATCH] remove mrules disabling vfat file systems from cis profiles
|
||||
|
||||
---
|
||||
rhcos4/profiles/moderate.profile | 1 -
|
||||
rhel7/profiles/cis.profile | 3 +--
|
||||
rhel8/profiles/cis.profile | 4 ++--
|
||||
sle15/profiles/cis.profile | 1 -
|
||||
4 files changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile
|
||||
index 4e715cae9a..966e092c97 100644
|
||||
--- a/rhcos4/profiles/moderate.profile
|
||||
+++ b/rhcos4/profiles/moderate.profile
|
||||
@@ -627,4 +627,3 @@ selections:
|
||||
- kernel_module_squashfs_disabled
|
||||
- kernel_module_udf_disabled
|
||||
- kernel_module_usb-storage_disabled
|
||||
- - kernel_module_vfat_disabled
|
||||
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
||||
index 22d5117546..093d2b5759 100644
|
||||
--- a/rhel7/profiles/cis.profile
|
||||
+++ b/rhel7/profiles/cis.profile
|
||||
@@ -46,8 +46,7 @@ selections:
|
||||
#### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored)
|
||||
- kernel_module_udf_disabled
|
||||
|
||||
- #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
+ #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Manual)
|
||||
|
||||
### 1.1.2 Ensure separate partition exists for /tmp (Scored)
|
||||
- partition_for_tmp
|
||||
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
|
||||
index 9ceeb74f9a..e96d2fbb9d 100644
|
||||
--- a/rhel8/profiles/cis.profile
|
||||
+++ b/rhel8/profiles/cis.profile
|
||||
@@ -31,8 +31,8 @@ selections:
|
||||
#### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
|
||||
- kernel_module_cramfs_disabled
|
||||
|
||||
- #### 1.1.1.2 Ensure mounting of vFAT flesystems is limited (Not Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
+ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
|
||||
+
|
||||
|
||||
#### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
|
||||
- kernel_module_squashfs_disabled
|
||||
diff --git a/sle15/profiles/cis.profile b/sle15/profiles/cis.profile
|
||||
index 9a0efedbdd..fa9ff3b775 100644
|
||||
--- a/sle15/profiles/cis.profile
|
||||
+++ b/sle15/profiles/cis.profile
|
||||
@@ -25,7 +25,6 @@ selections:
|
||||
- kernel_module_udf_disabled
|
||||
|
||||
#### 1.1.1.4 Ensure mounting of vFAT flesystems is limited (Not Scored)
|
||||
- - kernel_module_vfat_disabled
|
||||
|
||||
### 1.1.2 Ensure /tmp is configured (Scored)
|
||||
- partition_for_tmp
|
@ -0,0 +1,24 @@
|
||||
From 67f33ad17c234106bb3243af9f63ae478daa11ec Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 25 Jan 2021 18:28:26 +0100
|
||||
Subject: [PATCH] Reassign a new unique CCE identifier to approved macs STIG
|
||||
rule.
|
||||
|
||||
---
|
||||
.../ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml | 2 +-
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
2 files changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
index dc9f7dca7c..88d2d77e14 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -19,7 +19,7 @@ rationale: |-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
- cce@rhel7: CCE-83398-8
|
||||
+ cce@rhel7: CCE-83636-1
|
||||
|
||||
references:
|
||||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
@ -0,0 +1,39 @@
|
||||
From 9c6bdd92d2980aff87d1de0085250078ac131eda Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 16 Feb 2021 15:49:46 +0100
|
||||
Subject: [PATCH] Remove auditd_data_retention_space_left from RHEL8 STIG
|
||||
profile.
|
||||
|
||||
This rule is not aligned with STIG because it checks for space left in
|
||||
megabytes, whereas STIG demands space left in percentage.
|
||||
---
|
||||
rhel8/profiles/stig.profile | 3 ++-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 -
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 0aa6f28986..dccfb548b7 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -219,7 +219,8 @@ selections:
|
||||
- package_rsyslog_installed
|
||||
- package_rsyslog-gnutls_installed
|
||||
- rsyslog_remote_loghost
|
||||
- - auditd_data_retention_space_left
|
||||
+ # this rule expects configuration in MB instead percentage as how STIG demands
|
||||
+ # - auditd_data_retention_space_left
|
||||
- auditd_data_retention_space_left_action
|
||||
# remediation fails because default configuration file contains pool instead of server keyword
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 55b645b67b..41782dcf3d 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -63,7 +63,6 @@ selections:
|
||||
- auditd_data_disk_full_action
|
||||
- auditd_data_retention_action_mail_acct
|
||||
- auditd_data_retention_max_log_file_action
|
||||
-- auditd_data_retention_space_left
|
||||
- auditd_data_retention_space_left_action
|
||||
- auditd_local_events
|
||||
- auditd_log_format
|
@ -0,0 +1,43 @@
|
||||
From 0f10e6fe07e068f3fac8cb9563141530f3d8b9e8 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 12 Jan 2021 16:23:07 +0100
|
||||
Subject: [PATCH 1/2] remove rule from rhel8 stig
|
||||
|
||||
---
|
||||
rhel8/profiles/stig.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 882c481066..cda0239433 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -45,7 +45,6 @@ selections:
|
||||
- package_audispd-plugins_installed
|
||||
- package_libcap-ng-utils_installed
|
||||
- auditd_audispd_syslog_plugin_activated
|
||||
- - accounts_passwords_pam_faillock_enforce_local
|
||||
- accounts_password_pam_enforce_local
|
||||
- accounts_password_pam_enforce_root
|
||||
|
||||
|
||||
From b558c9030d2f16e59571e1730a3b0350d257d298 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 12 Jan 2021 16:23:25 +0100
|
||||
Subject: [PATCH 2/2] modify profile stability test
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index a4ad24aec2..6676ca497c 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -41,7 +41,6 @@ selections:
|
||||
- accounts_password_set_max_life_existing
|
||||
- accounts_password_set_min_life_existing
|
||||
- accounts_passwords_pam_faillock_deny
|
||||
-- accounts_passwords_pam_faillock_enforce_local
|
||||
- accounts_passwords_pam_faillock_interval
|
||||
- accounts_passwords_pam_faillock_unlock_time
|
||||
- accounts_umask_etc_bashrc
|
6088
SOURCES/scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
Normal file
6088
SOURCES/scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
Normal file
File diff suppressed because it is too large
Load Diff
843
SOURCES/scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
Normal file
843
SOURCES/scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
Normal file
@ -0,0 +1,843 @@
|
||||
From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001
|
||||
From: Guang Yee <guang.yee@suse.com>
|
||||
Date: Mon, 11 Jan 2021 12:55:43 -0800
|
||||
Subject: [PATCH] Enable checks and remediations for the following SLES-12
|
||||
STIGs:
|
||||
|
||||
- SLES-12-010030 'banner_etc_issue'
|
||||
- SLES-12-010120 'accounts_max_concurrent_login_sessions'
|
||||
- SLES-12-010450 'encrypt_partitions'
|
||||
- SLES-12-010460 'dir_perms_world_writable_sticky_bits'
|
||||
- SLES-12-010500 'package_aide_installed'
|
||||
- SLES-12-010550 'ensure_gpgcheck_globally_activated'
|
||||
- SLES-12-010580 'kernel_module_usb-storage_disabled'
|
||||
- SLES-12-010599 'package_MFEhiplsm_installed'
|
||||
- SLES-12-010690 'no_files_unowned_by_user'
|
||||
- SLES-12-030000 'package_telnet-server_removed'
|
||||
- SLES-12-030010 'ftp_present_banner'
|
||||
- SLES-12-030050 'sshd_enable_warning_banner'
|
||||
- SLES-12-030110 'sshd_set_loglevel_verbose'
|
||||
- SLES-12-030130 'sshd_print_last_log'
|
||||
- SLES-12-030210 'file_permissions_sshd_pub_key'
|
||||
- SLES-12-030220 'file_permissions_sshd_private_key'
|
||||
- SLES-12-030230 'sshd_enable_strictmodes'
|
||||
- SLES-12-030240 'sshd_use_priv_separation'
|
||||
- SLES-12-030250 'sshd_disable_compression'
|
||||
- SLES-12-030340 'auditd_audispd_encrypt_sent_records'
|
||||
- SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route'
|
||||
- SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route'
|
||||
- SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route'
|
||||
- SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects'
|
||||
---
|
||||
.../ftp_present_banner/rule.yml | 1 +
|
||||
.../package_telnet-server_removed/rule.yml | 1 +
|
||||
.../rule.yml | 1 +
|
||||
.../file_permissions_sshd_pub_key/rule.yml | 1 +
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../sshd_disable_compression/rule.yml | 1 +
|
||||
.../sshd_enable_strictmodes/rule.yml | 1 +
|
||||
.../sshd_enable_warning_banner/rule.yml | 1 +
|
||||
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
|
||||
.../sshd_set_loglevel_verbose/rule.yml | 1 +
|
||||
.../sshd_use_priv_separation/rule.yml | 1 +
|
||||
.../banner_etc_issue/ansible/shared.yml | 2 +-
|
||||
.../banner_etc_issue/rule.yml | 4 ++-
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../rule.yml | 2 ++
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../bash/shared.sh | 2 +-
|
||||
.../rule.yml | 2 ++
|
||||
.../files/no_files_unowned_by_user/rule.yml | 4 ++-
|
||||
.../rule.yml | 4 ++-
|
||||
.../encrypt_partitions/rule.yml | 8 +++++-
|
||||
.../package_MFEhiplsm_installed/rule.yml | 2 ++
|
||||
.../aide/package_aide_installed/rule.yml | 3 +++
|
||||
.../ansible/sle12.yml | 13 ++++++++++
|
||||
.../rule.yml | 8 +++++-
|
||||
shared/applicability/general.yml | 4 +++
|
||||
.../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++
|
||||
.../kernel_module_disabled/ansible.template | 12 +++++++--
|
||||
.../kernel_module_disabled/bash.template | 9 ++++++-
|
||||
.../kernel_module_disabled/oval.template | 5 ++++
|
||||
sle12/product.yml | 1 +
|
||||
sle12/profiles/stig.profile | 25 +++++++++++++++++++
|
||||
37 files changed, 153 insertions(+), 18 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
|
||||
diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
index 35ba09b0d0..3590a085b6 100644
|
||||
--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
||||
@@ -19,6 +19,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80248-8
|
||||
+ cce@sle12: CCE-83059-6
|
||||
|
||||
references:
|
||||
stigid@sle12: SLES-12-030010
|
||||
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
index 317eecdc3d..619b3f0b7d 100644
|
||||
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
||||
@@ -27,6 +27,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27165-0
|
||||
cce@rhel8: CCE-82182-7
|
||||
+ cce@sle12: CCE-83084-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-021710
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
index 2e52219ece..d460411667 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27485-2
|
||||
cce@rhel8: CCE-82424-3
|
||||
+ cce@sle12: CCE-83058-8
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040420
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
index e59ddc0770..b9e07d71af 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
||||
@@ -13,6 +13,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27311-0
|
||||
cce@rhel8: CCE-82428-4
|
||||
+ cce@sle12: CCE-83057-0
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040410
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
index e07e436d60..f8d422c6c4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
index fe7e67c1c2..f8eec6a074 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
||||
@@ -21,6 +21,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80224-9
|
||||
cce@rhel8: CCE-80895-6
|
||||
+ cce@sle12: CCE-83062-0
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040470
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
index 22b98c71a2..601f6a0ca2 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80222-3
|
||||
cce@rhel8: CCE-80904-6
|
||||
+ cce@sle12: CCE-83060-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040450
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
index 2199d61ca9..c93ef6340f 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
||||
@@ -20,6 +20,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27314-4
|
||||
cce@rhel8: CCE-80905-3
|
||||
+ cce@sle12: CCE-83066-1
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040170
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
index a0b8ed38ae..0ce5da30b2 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
||||
@@ -17,6 +17,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80225-6
|
||||
cce@rhel8: CCE-82281-7
|
||||
+ cce@sle12: CCE-83083-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040360
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
index 28ce48de8e..2180398855 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
||||
@@ -22,6 +22,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-82419-3
|
||||
cce@rhel8: CCE-82420-1
|
||||
+ cce@sle12: CCE-83077-8
|
||||
|
||||
references:
|
||||
srg: SRG-OS-000032-GPOS-00013
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
index 14d1acfd22..d65ddb6cd1 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80223-1
|
||||
cce@rhel8: CCE-80908-7
|
||||
+ cce@sle12: CCE-83061-2
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040460
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
index f3a0c85ea5..ff6b6eab42 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = unknown
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
index a86ede70f8..637d8ee528 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Modify the System Login Banner'
|
||||
|
||||
@@ -52,6 +52,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27303-7
|
||||
cce@rhel8: CCE-80763-6
|
||||
cce@rhcos4: CCE-82555-4
|
||||
+ cce@sle12: CCE-83054-7
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-010050
|
||||
@@ -64,6 +65,7 @@ references:
|
||||
srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
|
||||
vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070
|
||||
stigid@rhel7: RHEL-07-010050
|
||||
+ stigid@sle12: SLES-12-010030
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
|
||||
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
|
||||
cobit5: DSS05.04,DSS05.10,DSS06.10
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
index 9d50a9d20c..536ac29569 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
index e598f4e8cb..32412aa482 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
||||
@@ -20,6 +20,7 @@ severity: low
|
||||
identifiers:
|
||||
cce@rhel7: CCE-82041-5
|
||||
cce@rhel8: CCE-80955-8
|
||||
+ cce@sle12: CCE-83065-3
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040000
|
||||
@@ -30,6 +31,7 @@ references:
|
||||
srg: SRG-OS-000027-GPOS-00008
|
||||
vmmsrg: SRG-OS-000027-VMM-000080
|
||||
stigid@rhel7: RHEL-07-040000
|
||||
+ stigid@sle12: SLES-12-010120
|
||||
isa-62443-2013: 'SR 3.1,SR 3.8'
|
||||
isa-62443-2009: 4.3.3.4
|
||||
cobit5: DSS01.05,DSS05.02
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
index 23bcdf8641..007b23ba24 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4
|
||||
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle
|
||||
# reboot = false
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
index 4c27eb11fd..1943a00fb2 100644
|
||||
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
||||
|
||||
title: 'Encrypt Audit Records Sent With audispd Plugin'
|
||||
|
||||
@@ -26,6 +26,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80540-8
|
||||
cce@rhel8: CCE-80926-9
|
||||
+ cce@sle12: CCE-83063-8
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-030310
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist: AU-9(3),CM-6(a)
|
||||
srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
||||
stigid@rhel7: RHEL-07-030310
|
||||
+ stigid@sle12: SLES-12-030340
|
||||
ospp: FAU_GEN.1.1.c
|
||||
|
||||
ocil_clause: 'audispd is not encrypting audit records when sent over the network'
|
||||
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
index a3f78cb910..8767a5226f 100644
|
||||
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
||||
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80179-5
|
||||
cce@rhel8: CCE-81013-5
|
||||
cce@rhcos4: CCE-82480-5
|
||||
+ cce@sle12: CCE-83078-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040830
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040830
|
||||
+ stigid@sle12: SLES-12-030361
|
||||
isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
index 0cd3dbc143..7bc4e3b9b7 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27434-0
|
||||
cce@rhel8: CCE-81011-9
|
||||
cce@rhcos4: CCE-82478-9
|
||||
+ cce@sle12: CCE-83064-6
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040610
|
||||
@@ -33,6 +34,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040610
|
||||
+ stigid@sle12: SLES-12-030360
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
index c48ec8de3d..f7ee2e9818 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80162-1
|
||||
cce@rhel8: CCE-80920-2
|
||||
cce@rhcos4: CCE-82479-7
|
||||
+ cce@sle12: CCE-83079-4
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040620
|
||||
@@ -34,6 +35,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040620
|
||||
+ stigid@sle12: SLES-12-030370
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
index ddf6b07758..861c3485f3 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
||||
|
||||
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
|
||||
|
||||
@@ -19,6 +19,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80999-6
|
||||
cce@rhel8: CCE-80921-0
|
||||
cce@rhcos4: CCE-82485-4
|
||||
+ cce@sle12: CCE-83086-9
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-040650
|
||||
@@ -31,6 +32,7 @@ references:
|
||||
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
stigid@rhel7: RHEL-07-040650
|
||||
+ stigid@sle12: SLES-12-030420
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
||||
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
index 0a829df187..e49942d1cc 100644
|
||||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_rhel
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle
|
||||
df --local -P | awk '{if (NR!=1) print $6}' \
|
||||
| xargs -I '{}' find '{}' -xdev -type d \
|
||||
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
|
||||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
index d04df8df86..5bb3cf3713 100644
|
||||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
||||
@@ -34,6 +34,7 @@ identifiers:
|
||||
cce@rhel7: CCE-80130-8
|
||||
cce@rhel8: CCE-80783-4
|
||||
cce@rhcos4: CCE-82753-5
|
||||
+ cce@sle12: CCE-83047-1
|
||||
|
||||
references:
|
||||
cis@rhe8: 1.1.21
|
||||
@@ -46,6 +47,7 @@ references:
|
||||
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
||||
cis-csc: 12,13,14,15,16,18,3,5
|
||||
cis@sle15: 1.1.22
|
||||
+ stigid@sle12: SLES-12-010460
|
||||
|
||||
ocil_clause: 'any world-writable directories are missing the sticky bit'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
index e664cf9215..faab0b8822 100644
|
||||
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Ensure All Files Are Owned by a User'
|
||||
|
||||
@@ -24,6 +24,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80134-0
|
||||
cce@rhel8: CCE-83499-4
|
||||
+ cce@sle12: CCE-83072-9
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020320
|
||||
@@ -40,6 +41,7 @@ references:
|
||||
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
||||
cis-csc: 11,12,13,14,15,16,18,3,5,9
|
||||
cis@sle15: 6.1.11
|
||||
+ stigid@sle12: SLES-12-010690
|
||||
|
||||
ocil_clause: 'files exist that are not owned by a valid user'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
index c78b570efb..24e77cc74e 100644
|
||||
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Disable Modprobe Loading of USB Storage Driver'
|
||||
|
||||
@@ -22,6 +22,7 @@ identifiers:
|
||||
cce@rhel7: CCE-27277-3
|
||||
cce@rhel8: CCE-80835-2
|
||||
cce@rhcos4: CCE-82719-6
|
||||
+ cce@sle12: CCE-83069-5
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020100
|
||||
@@ -39,6 +40,7 @@ references:
|
||||
cis-csc: 1,12,15,16,5
|
||||
cis@rhel8: 1.1.23
|
||||
cis@sle15: 1.1.3
|
||||
+ stigid@sle12: SLES-12-010580
|
||||
|
||||
{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
|
||||
|
||||
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
index 80d1856778..fe370a4323 100644
|
||||
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12
|
||||
|
||||
title: 'Encrypt Partitions'
|
||||
|
||||
@@ -14,6 +14,7 @@ description: |-
|
||||
option is selected the system will prompt for a passphrase to use in
|
||||
decrypting the partition. The passphrase will subsequently need to be entered manually
|
||||
every time the system boots.
|
||||
+ {{% if product != "sle12" %}}
|
||||
<br /><br />
|
||||
For automated/unattended installations, it is possible to use Kickstart by adding
|
||||
the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
|
||||
@@ -26,11 +27,14 @@ description: |-
|
||||
<br /><br />
|
||||
By default, the <tt>Anaconda</tt> installer uses <tt>aes-xts-plain64</tt> cipher
|
||||
with a minimum <tt>512</tt> bit key size which should be compatible with FIPS enabled.
|
||||
+ {{% endif %}}
|
||||
<br /><br />
|
||||
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
|
||||
the {{{ full_name }}} Documentation web site:<br />
|
||||
{{% if product in ["ol7", "ol8"] %}}
|
||||
{{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}.
|
||||
+ {{% elif product == "sle12" %}}
|
||||
+ {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
|
||||
{{% else %}}
|
||||
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
|
||||
{{% endif %}}
|
||||
@@ -45,6 +49,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27128-8
|
||||
cce@rhel8: CCE-80789-1
|
||||
+ cce@sle12: CCE-83046-3
|
||||
|
||||
references:
|
||||
cui: 3.13.16
|
||||
@@ -58,6 +63,7 @@ references:
|
||||
isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2'
|
||||
cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
|
||||
cis-csc: 13,14
|
||||
+ stigid@sle12: SLES-12-010450
|
||||
|
||||
ocil_clause: 'partitions do not have a type of crypto_LUKS'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
index f96cfc925b..c0bf1ee908 100644
|
||||
--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
||||
@@ -18,6 +18,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80368-4
|
||||
+ cce@sle12: CCE-83071-1
|
||||
|
||||
references:
|
||||
disa: CCI-000366,CCI-001263
|
||||
@@ -31,6 +32,7 @@ references:
|
||||
iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
|
||||
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
|
||||
stigid@rhel7: RHEL-07-020019
|
||||
+ stigid@sle12: SLES-12-010599
|
||||
|
||||
ocil_clause: 'the HBSS HIPS module is not installed'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
index 699992b48c..23e939bbec 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
@@ -14,6 +14,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-27096-7
|
||||
cce@rhel8: CCE-80844-4
|
||||
+ cce@sle12: CCE-83048-9
|
||||
|
||||
references:
|
||||
cis@rhel8: 1.4.1
|
||||
@@ -30,6 +31,8 @@ references:
|
||||
srg: SRG-OS-000363-GPOS-00150
|
||||
cis@sle15: 1.4.1
|
||||
ism: 1034,1288,1341,1417
|
||||
+ stigid@sle12: SLES-12-010500
|
||||
+ disa@sle12: CCI-002699
|
||||
|
||||
ocil_clause: 'the package is not installed'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
new file mode 100644
|
||||
index 0000000000..6fca48166a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = multi_platform_sle
|
||||
+# reboot = false
|
||||
+# strategy = unknown
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+- name: Ensure GPG check is globally activated (zypper)
|
||||
+ ini_file:
|
||||
+ dest: /etc/zypp/zypp.conf
|
||||
+ section: main
|
||||
+ option: gpgcheck
|
||||
+ value: 1
|
||||
+ no_extra_spaces: yes
|
||||
+ create: False
|
||||
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
index 24cef5499c..1f86aff1e9 100644
|
||||
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
|
||||
title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
|
||||
|
||||
@@ -33,6 +33,7 @@ severity: high
|
||||
identifiers:
|
||||
cce@rhel7: CCE-26989-4
|
||||
cce@rhel8: CCE-80790-9
|
||||
+ cce@sle12: CCE-83068-7
|
||||
|
||||
references:
|
||||
stigid@ol7: OL07-00-020050
|
||||
@@ -54,6 +55,7 @@ references:
|
||||
iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
|
||||
cis-csc: 11,2,3,9
|
||||
anssi: BP28(R15)
|
||||
+ stigid@sle12: SLES-12-010550
|
||||
|
||||
ocil_clause: 'GPG checking is not enabled'
|
||||
|
||||
@@ -66,4 +68,8 @@ ocil: |-
|
||||
<tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
|
||||
disabled.
|
||||
|
||||
+{{% if product == 'sle12' %}}
|
||||
+platform: zypper
|
||||
+{{% else %}}
|
||||
platform: yum
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
||||
index a6581fd713..7382b7dd30 100644
|
||||
--- a/shared/applicability/general.yml
|
||||
+++ b/shared/applicability/general.yml
|
||||
@@ -74,3 +74,7 @@ cpes:
|
||||
title: "Package yum is installed"
|
||||
check_id: installed_env_has_yum_package
|
||||
|
||||
+ - zypper:
|
||||
+ name: "cpe:/a:zypper"
|
||||
+ title: "Package zypper is installed"
|
||||
+ check_id: installed_env_has_zypper_package
|
||||
diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
new file mode 100644
|
||||
index 0000000000..cf14e6af3c
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_has_zypper_package.xml
|
||||
@@ -0,0 +1,25 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory"
|
||||
+ id="installed_env_has_zypper_package" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Package zypper is installed</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_sle</platform>
|
||||
+ </affected>
|
||||
+ <description>Checks if package zypper is installed.</description>
|
||||
+ <reference ref_id="cpe:/a:zypper" source="CPE" />
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="Package zypper is installed" test_ref="test_env_has_zypper_installed" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
|
||||
+ id="test_env_has_zypper_installed" version="1"
|
||||
+ comment="system has package zypper installed">
|
||||
+ <linux:object object_ref="obj_env_has_zypper_installed" />
|
||||
+ </linux:rpminfo_test>
|
||||
+ <linux:rpminfo_object id="obj_env_has_zypper_installed" version="1">
|
||||
+ <linux:name>zypper</linux:name>
|
||||
+ </linux:rpminfo_object>
|
||||
+</def-group>
|
||||
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
|
||||
index 47deee6e54..c4a83ad325 100644
|
||||
--- a/shared/templates/kernel_module_disabled/ansible.template
|
||||
+++ b/shared/templates/kernel_module_disabled/ansible.template
|
||||
@@ -1,12 +1,20 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = medium
|
||||
+{{% if product == "sle12" %}}
|
||||
+- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
|
||||
+ lineinfile:
|
||||
+ create: yes
|
||||
+ dest: "/etc/modprobe.d/50-blacklist.conf"
|
||||
+ regexp: '^blacklist {{{ KERNMODULE }}}$'
|
||||
+ line: "blacklist {{{ KERNMODULE }}}"
|
||||
+{{% else %}}
|
||||
- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
|
||||
lineinfile:
|
||||
create: yes
|
||||
dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf"
|
||||
regexp: '{{{ KERNMODULE }}}'
|
||||
line: "install {{{ KERNMODULE }}} /bin/true"
|
||||
-
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template
|
||||
index 42c0830b5f..f70a9925cd 100644
|
||||
--- a/shared/templates/kernel_module_disabled/bash.template
|
||||
+++ b/shared/templates/kernel_module_disabled/bash.template
|
||||
@@ -1,11 +1,18 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = medium
|
||||
+{{% if product == "sle12" %}}
|
||||
+if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then
|
||||
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf
|
||||
+ echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf
|
||||
+fi
|
||||
+{{% else %}}
|
||||
if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then
|
||||
sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
else
|
||||
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
||||
fi
|
||||
+{{% endif %}}
|
||||
diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template
|
||||
index e5a7aaa8b4..737ae3c796 100644
|
||||
--- a/shared/templates/kernel_module_disabled/oval.template
|
||||
+++ b/shared/templates/kernel_module_disabled/oval.template
|
||||
@@ -54,9 +54,14 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_disabled"
|
||||
version="1" comment="kernel module {{{ KERNMODULE }}} disabled">
|
||||
+ {{% if product == "sle12" %}}
|
||||
+ <ind:filepath>/etc/modprobe.d/50-blacklist.conf</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^blacklist\s+{{{ KERNMODULE }}}$</ind:pattern>
|
||||
+ {{% else %}}
|
||||
<ind:path>/etc/modprobe.d</ind:path>
|
||||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
<ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
|
||||
+ {{% endif %}}
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
diff --git a/sle12/product.yml b/sle12/product.yml
|
||||
index e465a6d687..d83ad88c21 100644
|
||||
--- a/sle12/product.yml
|
||||
+++ b/sle12/product.yml
|
||||
@@ -9,6 +9,7 @@ profiles_root: "./profiles"
|
||||
init_system: "systemd"
|
||||
|
||||
pkg_manager: "zypper"
|
||||
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
|
||||
oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml"
|
||||
|
||||
cpes_root: "../shared/applicability"
|
||||
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
|
||||
index 6cf3339569..15c4f70336 100644
|
||||
--- a/sle12/profiles/stig.profile
|
||||
+++ b/sle12/profiles/stig.profile
|
||||
@@ -12,34 +12,59 @@ selections:
|
||||
- account_temp_expire_date
|
||||
- accounts_have_homedir_login_defs
|
||||
- accounts_logon_fail_delay
|
||||
+ - accounts_max_concurrent_login_sessions
|
||||
- accounts_maximum_age_login_defs
|
||||
+ - accounts_minimum_age_login_defs
|
||||
- accounts_no_uid_except_zero
|
||||
- accounts_password_set_max_life_existing
|
||||
- accounts_password_set_min_life_existing
|
||||
- accounts_umask_etc_login_defs
|
||||
+ - auditd_audispd_encrypt_sent_records
|
||||
- auditd_data_disk_full_action
|
||||
- auditd_data_retention_action_mail_acct
|
||||
- auditd_data_retention_space_left
|
||||
+ - banner_etc_issue
|
||||
- banner_etc_motd
|
||||
+ - dir_perms_world_writable_sticky_bits
|
||||
- disable_ctrlaltdel_reboot
|
||||
+ - encrypt_partitions
|
||||
+ - ensure_gpgcheck_globally_activated
|
||||
+ - file_permissions_sshd_private_key
|
||||
+ - file_permissions_sshd_pub_key
|
||||
+ - ftp_present_banner
|
||||
- gnome_gdm_disable_automatic_login
|
||||
- grub2_password
|
||||
- grub2_uefi_password
|
||||
- installed_OS_is_vendor_supported
|
||||
+ - kernel_module_usb-storage_disabled
|
||||
- no_empty_passwords
|
||||
+ - no_files_unowned_by_user
|
||||
- no_host_based_files
|
||||
- no_user_host_based_files
|
||||
+ - package_MFEhiplsm_installed
|
||||
+ - package_aide_installed
|
||||
- package_audit-audispd-plugins_installed
|
||||
- package_audit_installed
|
||||
+ - package_telnet-server_removed
|
||||
- postfix_client_configure_mail_alias
|
||||
- security_patches_up_to_date
|
||||
- service_auditd_enabled
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
+ - sshd_disable_compression
|
||||
- sshd_disable_empty_passwords
|
||||
- sshd_disable_user_known_hosts
|
||||
- sshd_do_not_permit_user_env
|
||||
+ - sshd_enable_strictmodes
|
||||
+ - sshd_enable_warning_banner
|
||||
- sshd_enable_x11_forwarding
|
||||
+ - sshd_print_last_log
|
||||
- sshd_set_idle_timeout
|
||||
- sshd_set_keepalive
|
||||
+ - sshd_set_loglevel_verbose
|
||||
+ - sshd_use_priv_separation
|
||||
- sudo_remove_no_authenticate
|
||||
- sudo_remove_nopasswd
|
||||
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
||||
+ - sysctl_net_ipv4_conf_default_send_redirects
|
||||
+ - sysctl_net_ipv6_conf_all_accept_source_route
|
1313
SOURCES/scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
Normal file
1313
SOURCES/scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,259 @@
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
index abcebf60c7..50c7d689af 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
||||
@@ -61,7 +61,6 @@ references:
|
||||
nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4
|
||||
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
|
||||
- stigid@rhel7: RHEL-07-040110
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
|
||||
cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..4796a2eab1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Configure sshd to use approved ciphers"
|
||||
+ lineinfile:
|
||||
+ path: /etc/ssh/sshd_config
|
||||
+ line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
|
||||
+ state: present
|
||||
+ regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
|
||||
+ create: True
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..8f751ed516
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+
|
||||
+if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
|
||||
+ sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..53ff0a2a9e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
|
||||
@@ -0,0 +1,38 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
||||
+ <criteria comment="SSH is configured correctly or is not installed"
|
||||
+ operator="OR">
|
||||
+ <criteria comment="sshd is not installed" operator="AND">
|
||||
+ <extend_definition comment="sshd is not required or requirement is unset"
|
||||
+ definition_ref="sshd_not_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server removed"
|
||||
+ definition_ref="package_openssh-server_removed" />
|
||||
+ </criteria>
|
||||
+ <criteria comment="sshd is installed and configured" operator="AND">
|
||||
+ <extend_definition comment="sshd is required or requirement is unset"
|
||||
+ definition_ref="sshd_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server installed"
|
||||
+ definition_ref="package_openssh-server_installed" />
|
||||
+ <criterion comment="Check the Cipers list in /etc/ssh/sshd_config"
|
||||
+ test_ref="test_sshd_use_approved_ciphers_ordered_stig" />
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
|
||||
+ id="test_sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ <ind:object object_ref="obj_sshd_use_approved_ciphers_ordered_stig" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1">
|
||||
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..0751064179
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
||||
@@ -0,0 +1,64 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel7
|
||||
+
|
||||
+title: 'Use Only FIPS 140-2 Validated Ciphers'
|
||||
+
|
||||
+description: |-
|
||||
+ Limit the ciphers to those algorithms which are FIPS-approved.
|
||||
+ The following line in <tt>/etc/ssh/sshd_config</tt>
|
||||
+ demonstrates use of FIPS-approved ciphers:
|
||||
+ <pre>Ciphers aes256-ctr,aes192-ctr,aes128-ctr</pre>
|
||||
+ This rule ensures that there are configured ciphers mentioned
|
||||
+ above (or their subset), keeping the given order of algorithms.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
|
||||
+ cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
|
||||
+ <br />
|
||||
+ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
|
||||
+ cryptographic modules.
|
||||
+ <br />
|
||||
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
|
||||
+ utilize authentication that meets industry and government requirements. For government systems, this allows
|
||||
+ Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83398-8
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
|
||||
+ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
+ stigid@rhel7: RHEL-07-040110
|
||||
+
|
||||
+ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Only FIPS ciphers should be used. To verify that only FIPS-approved
|
||||
+ ciphers are in use, run the following command:
|
||||
+ <pre>$ sudo grep Ciphers /etc/ssh/sshd_config</pre>
|
||||
+ The output should contain only following ciphers (or a subset) in the exact order:
|
||||
+ <pre>aes256-ctr,aes192-ctr,aes128-ctr</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ The system needs to be rebooted for these changes to take effect.
|
||||
+ - regulatory: |-
|
||||
+ System Crypto Modules must be provided by a vendor that undergoes
|
||||
+ FIPS-140 certifications.
|
||||
+ FIPS-140 is applicable to all Federal agencies that use
|
||||
+ cryptographic-based security systems to protect sensitive information
|
||||
+ in computer and telecommunication systems (including voice systems) as
|
||||
+ defined in Section 5131 of the Information Technology Management Reform
|
||||
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
||||
+ designing and implementing cryptographic modules that Federal
|
||||
+ departments and agencies operate or are operated for them under
|
||||
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||||
+ To meet this, the system has to have cryptographic software provided by
|
||||
+ a vendor that has undergone this certification. This means providing
|
||||
+ documentation, test results, design information, and independent third
|
||||
+ party review by an accredited lab. While open source software is
|
||||
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||||
+ submits to this process.
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..daff7d7c53
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b9d22262af
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..b99d3832cd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6dfd54631c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7b38914a1a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..6fdb47093d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'Ciphers ' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..24fdf0f30d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 6c06a8ede6..adf86894e1 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -239,8 +239,7 @@ selections:
|
||||
- install_antivirus
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- configure_firewalld_ports
|
||||
- - sshd_approved_ciphers=stig
|
||||
- - sshd_use_approved_ciphers
|
||||
+ - sshd_use_approved_ciphers_ordered_stig
|
||||
- accounts_tmout
|
||||
- sshd_enable_warning_banner
|
||||
- sssd_ldap_start_tls
|
@ -0,0 +1,386 @@
|
||||
From 5f8f98024f8955a0327b67f873923757a51d082c Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:07 +0100
|
||||
Subject: [PATCH 1/7] add rule and remediations
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 13 +++++
|
||||
.../bash/shared.sh | 7 +++
|
||||
.../oval/shared.xml | 38 +++++++++++++
|
||||
.../rule.yml | 57 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
5 files changed, 115 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..cefba7db05
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "Configure sshd to use approved MACs"
|
||||
+ lineinfile:
|
||||
+ path: /etc/ssh/sshd_config
|
||||
+ line: 'MACs hmac-sha2-512,hmac-sha2-256'
|
||||
+ state: present
|
||||
+ regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
|
||||
+ create: True
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c76190fb96
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
+
|
||||
+if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
|
||||
+ sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..d7fbd9f0ed
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -0,0 +1,38 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
||||
+ <criteria comment="SSH is configured correctly or is not installed"
|
||||
+ operator="OR">
|
||||
+ <criteria comment="sshd is not installed" operator="AND">
|
||||
+ <extend_definition comment="sshd is not required or requirement is unset"
|
||||
+ definition_ref="sshd_not_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server removed"
|
||||
+ definition_ref="package_openssh-server_removed" />
|
||||
+ </criteria>
|
||||
+ <criteria comment="sshd is installed and configured" operator="AND">
|
||||
+ <extend_definition comment="sshd is required or requirement is unset"
|
||||
+ definition_ref="sshd_required_or_unset" />
|
||||
+ <extend_definition comment="rpm package openssh-server installed"
|
||||
+ definition_ref="package_openssh-server_installed" />
|
||||
+ <criterion comment="Check MACs in /etc/ssh/sshd_config"
|
||||
+ test_ref="test_sshd_use_approved_macs_ordered_stig" />
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
|
||||
+ id="test_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ <ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..dc9f7dca7c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
||||
@@ -0,0 +1,57 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel7
|
||||
+
|
||||
+title: 'Use Only FIPS 140-2 Validated MACs'
|
||||
+
|
||||
+description: |-
|
||||
+ Limit the MACs to those hash algorithms which are FIPS-approved.
|
||||
+ The following line in <tt>/etc/ssh/sshd_config</tt>
|
||||
+ demonstrates use of FIPS-approved MACs:
|
||||
+ <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
|
||||
+ This rule ensures that there are configured MACs mentioned
|
||||
+ above (or their subset), keeping the given order of algorithms.
|
||||
+
|
||||
+rationale: |-
|
||||
+ DoD Information Systems are required to use FIPS-approved cryptographic hash
|
||||
+ functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83398-8
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
||||
+ srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
+ stigid@rhel7: RHEL-07-040400
|
||||
+
|
||||
+ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Only FIPS-approved MACs should be used. To verify that only FIPS-approved
|
||||
+ MACs are in use, run the following command:
|
||||
+ <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
|
||||
+ The output should contain only following MACs (or a subset) in the exact order:
|
||||
+ <pre>hmac-sha2-512,hmac-sha2-256</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ The system needs to be rebooted for these changes to take effect.
|
||||
+ - regulatory: |-
|
||||
+ System Crypto Modules must be provided by a vendor that undergoes
|
||||
+ FIPS-140 certifications.
|
||||
+ FIPS-140 is applicable to all Federal agencies that use
|
||||
+ cryptographic-based security systems to protect sensitive information
|
||||
+ in computer and telecommunication systems (including voice systems) as
|
||||
+ defined in Section 5131 of the Information Technology Management Reform
|
||||
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
||||
+ designing and implementing cryptographic modules that Federal
|
||||
+ departments and agencies operate or are operated for them under
|
||||
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||||
+ To meet this, the system has to have cryptographic software provided by
|
||||
+ a vendor that has undergone this certification. This means providing
|
||||
+ documentation, test results, design information, and independent third
|
||||
+ party review by an accredited lab. While open source software is
|
||||
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||||
+ submits to this process.
|
||||
From 18ea3b8671e15c06a5c1c864d9d1d67f4262189e Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:25 +0100
|
||||
Subject: [PATCH 2/7] add tests
|
||||
|
||||
---
|
||||
.../tests/comment.fail.sh | 7 +++++++
|
||||
.../tests/correct_reduced_list.pass.sh | 7 +++++++
|
||||
.../tests/correct_scrambled.fail.sh | 7 +++++++
|
||||
.../tests/correct_value.pass.sh | 7 +++++++
|
||||
.../tests/line_not_there.fail.sh | 3 +++
|
||||
.../tests/no_parameters.fail.sh | 7 +++++++
|
||||
.../tests/wrong_value.fail.sh | 7 +++++++
|
||||
7 files changed, 45 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..26bf18234c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..0d922cdee9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..ce3f459352
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..19da7102a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..fd1f19347a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i "/^MACs.*/d" /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..44c07c6de0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo 'MACs ' >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..cf56cd228f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
||||
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config
|
||||
+else
|
||||
+ echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config
|
||||
+fi
|
||||
|
||||
From a334b4b434adf92c94b8bd6bb888751782e70ad3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:32:58 +0100
|
||||
Subject: [PATCH 3/7] modify rhel7 stig profile
|
||||
|
||||
---
|
||||
rhel7/profiles/stig.profile | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 6c06a8ede6..17c781d3eb 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -28,7 +28,6 @@ selections:
|
||||
- inactivity_timeout_value=15_minutes
|
||||
- var_screensaver_lock_delay=5_seconds
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- - sshd_approved_macs=stig
|
||||
- var_accounts_fail_delay=4
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
@@ -259,7 +258,7 @@ selections:
|
||||
- sshd_print_last_log
|
||||
- sshd_disable_root_login
|
||||
- sshd_allow_only_protocol2
|
||||
- - sshd_use_approved_macs
|
||||
+ - sshd_use_approved_macs_ordered_stig
|
||||
- file_permissions_sshd_pub_key
|
||||
- file_permissions_sshd_private_key
|
||||
- sshd_disable_gssapi_auth
|
||||
|
||||
From df71fc735efa8754a73fab5d355d422c6e0ffa53 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 19 Jan 2021 12:33:10 +0100
|
||||
Subject: [PATCH 4/7] remove rhel7 stigid from sshd_use_approved_macs
|
||||
|
||||
---
|
||||
.../services/ssh/ssh_server/sshd_use_approved_macs/rule.yml | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
index 394c733f51..d47eb443f5 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
||||
@@ -54,7 +54,6 @@ references:
|
||||
nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4
|
||||
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
||||
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590
|
||||
- stigid@rhel7: RHEL-07-040400
|
||||
stigid@sle12: SLES-12-030180
|
||||
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
||||
isa-62443-2009: 4.3.3.5.1,4.3.3.6.6
|
||||
|
||||
From 9c24aaaba67f0123a82335672fd25aacd913caa4 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:43:16 +0100
|
||||
Subject: [PATCH 5/7] simplify regex
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
index d7fbd9f0ed..5973488661 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
|
||||
From e3973f4c2988308a2d1a18e67a730a059f791336 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 11:55:19 +0100
|
||||
Subject: [PATCH 6/7] make bash remediation more readable
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
index c76190fb96..f8f6f39bee 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
||||
@@ -1,6 +1,6 @@
|
||||
# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
||||
|
||||
-if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
|
||||
+if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
|
||||
sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
|
||||
else
|
||||
echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
||||
|
||||
From e5c379ac8cbd7bd42b116d3a5473a78406a662fd Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 13:05:18 +0100
|
||||
Subject: [PATCH 7/7] one more small fix to oval regex
|
||||
|
||||
---
|
||||
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
index 5973488661..b5443b07c4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
@ -0,0 +1,30 @@
|
||||
From e5399b7bf17d5bdb995851b3d2a27f3ab2e6066a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Mon, 18 Jan 2021 15:21:51 +0100
|
||||
Subject: [PATCH] Supress Ansible lint error 503
|
||||
|
||||
It says that Tasks that run when changed should likely be handlers.
|
||||
However, we don't use handlers, and developer guide says that handlers
|
||||
aren't supported. I assume handlers would cause problems for SCAP
|
||||
scanners. Unless we start to support handlers this error isn't fixable
|
||||
for us therefore we can suppress it globally.
|
||||
|
||||
Addressing problems in scap-security-guide-lint-check Jenkins job:
|
||||
30/48 Test #260: ansible-playbook-ansible-lint-check-rhel8 .........***Failed 630.77 sec
|
||||
all/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_enhanced/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_high/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
anssi_bp28_intermediary/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
|
||||
---
|
||||
tests/ansible-lint_config.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tests/ansible-lint_config.yml b/tests/ansible-lint_config.yml
|
||||
index d5107476a9..e4b4443f8c 100644
|
||||
--- a/tests/ansible-lint_config.yml
|
||||
+++ b/tests/ansible-lint_config.yml
|
||||
@@ -3,3 +3,4 @@ skip_list:
|
||||
- '301' # Commands should not change things if nothing needs doing
|
||||
- '303' # Using command rather than module
|
||||
- '403' # Package installs should not use latest
|
||||
+ - '503' # Tasks that run when changed should likely be handlers
|
@ -0,0 +1,73 @@
|
||||
From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri, 15 Jan 2021 16:28:07 +0100
|
||||
Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable.
|
||||
|
||||
---
|
||||
.../sshd_disable_x11_forwarding/rule.yml | 19 ++++++++++---------
|
||||
.../sshd_enable_x11_forwarding/rule.yml | 1 -
|
||||
rhel7/profiles/stig.profile | 2 +-
|
||||
3 files changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
index 1779129f87..7da2e067a6 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
|
||||
@@ -19,22 +19,23 @@ rationale: |-
|
||||
other users on the X11 server. Note that even if X11 forwarding is disabled,
|
||||
users can always install their own forwarders.
|
||||
|
||||
-severity: low
|
||||
+severity: medium
|
||||
|
||||
-ocil_clause: "that the X11Forwarding option exists and is enabled"
|
||||
-
|
||||
-ocil: |-
|
||||
- {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
|
||||
+{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}}
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-83359-0
|
||||
cce@rhel8: CCE-83360-8
|
||||
|
||||
references:
|
||||
- cis@rhel7: 5.2.4
|
||||
- cis@rhel8: 5.2.6
|
||||
- cis@sle12: 5.2.4
|
||||
- cis@sle15: 5.2.6
|
||||
+ cis@rhel7: 5.2.4
|
||||
+ cis@rhel8: 5.2.6
|
||||
+ cis@sle12: 5.2.4
|
||||
+ cis@sle15: 5.2.6
|
||||
+ stigid@rhel7: RHEL-07-040710
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
|
||||
template:
|
||||
name: sshd_lineinfile
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
index 803e581a0f..87c3cb7f5a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
|
||||
@@ -29,7 +29,6 @@ references:
|
||||
nist: CM-6(a),AC-17(a),AC-17(2)
|
||||
nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
- stigid@rhel7: RHEL-07-040710
|
||||
stigid@sle12: SLES-12-030260
|
||||
isa-62443-2013: 'SR 7.6'
|
||||
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
||||
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
||||
index 817e0982e5..6c06a8ede6 100644
|
||||
--- a/rhel7/profiles/stig.profile
|
||||
+++ b/rhel7/profiles/stig.profile
|
||||
@@ -285,7 +285,7 @@ selections:
|
||||
- postfix_prevent_unrestricted_relay
|
||||
- package_vsftpd_removed
|
||||
- package_tftp-server_removed
|
||||
- - sshd_enable_x11_forwarding
|
||||
+ - sshd_disable_x11_forwarding
|
||||
- sshd_x11_use_localhost
|
||||
- tftpd_uses_secure_mode
|
||||
- package_xorg-x11-server-common_removed
|
@ -0,0 +1,688 @@
|
||||
From e3dd773f905114c1d16ac3283611218a685f1722 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 09:17:15 +0100
|
||||
Subject: [PATCH 1/5] Remove extends key from ANSSI intermediary profile
|
||||
|
||||
This is not necessary as the ANSSI controls file handles this.
|
||||
---
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 64a9b542a0..4d0029af1d 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -7,7 +7,6 @@ description:
|
||||
Agence nationale de la sécurité des systèmes d''information. Based on
|
||||
https://www.ssi.gouv.fr/.
|
||||
|
||||
-extends: anssi_bp28_minimal
|
||||
|
||||
selections:
|
||||
- anssi:all:intermediary
|
||||
|
||||
From 48845dbde69e69a043fc90622f21dc73d6a72018 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 09:21:47 +0100
|
||||
Subject: [PATCH 2/5] Update title and descriptions of ANSSI profiles
|
||||
|
||||
---
|
||||
controls/anssi.yml | 2 +-
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 12 +++++++++---
|
||||
rhel7/profiles/anssi_nt28_high.profile | 12 +++++++++---
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 14 ++++++++++----
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 14 ++++++++++----
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 12 ++++++++----
|
||||
rhel8/profiles/anssi_bp28_high.profile | 14 +++++++++-----
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 11 +++++++----
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 12 ++++++++----
|
||||
9 files changed, 71 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 2173d23f9d..54c05245b7 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -1,5 +1,5 @@
|
||||
policy: 'ANSSI-BP-028'
|
||||
-title: 'ANSSI-BP-028'
|
||||
+title: 'Configuration Recommendations of a GNU/Linux System'
|
||||
id: anssi
|
||||
version: '1.2'
|
||||
source: https://www.ssi.gouv.fr/uploads/2019/03/linux_configuration-en-v1.2.pdf
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 5893d12dbd..49fa8593fe 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (enhanced)'
|
||||
+title: 'ANSSI BP-028 (enhanced)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des
|
||||
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:enhanced
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 52ae1dd6d2..2853f20607 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (high)'
|
||||
+title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes
|
||||
- d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index e18225247b..55f985a7a9 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -1,10 +1,16 @@
|
||||
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (intermediary)'
|
||||
+title: 'ANSSI BP-028 (intermediary)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité
|
||||
- des systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- - anssi:all:intermediary
|
||||
+ - anssi:all:intermediary
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index 214f37d14b..7786a26b45 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -1,9 +1,15 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI DAT-BP28 (minimal)'
|
||||
+title: 'ANSSI BP-028 (minimal)'
|
||||
|
||||
-description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des
|
||||
- systèmes d''information. Based on https://www.ssi.gouv.fr/.'
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- - anssi:all:minimal
|
||||
+ - anssi:all:minimal
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 4c39852b65..49fa8593fe 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -2,10 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (enhanced)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the enhanced level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:enhanced
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 6b0489e0f1..2853f20607 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,11 +1,15 @@
|
||||
documentation_complete: false
|
||||
|
||||
-title: 'ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the high level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 4d0029af1d..50ab1ba0b8 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -2,11 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (intermediary)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the intermediary level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d''information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:intermediary
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index d8f076c3e7..d477d34787 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -2,10 +2,14 @@ documentation_complete: true
|
||||
|
||||
title: 'ANSSI BP-028 (minimal)'
|
||||
|
||||
-description:
|
||||
- ANSSI BP-028 compliance at the minimal level. ANSSI stands for
|
||||
- Agence nationale de la sécurité des systèmes d'information. Based on
|
||||
- https://www.ssi.gouv.fr/.
|
||||
+description: |-
|
||||
+ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+
|
||||
+ A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
- anssi:all:minimal
|
||||
|
||||
From 5ea9fe70c78df6c4278aec71b9ab000a9884cea7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Feb 2021 12:23:14 +0100
|
||||
Subject: [PATCH 3/5] Add missing hyphen in ANSSI profiles descriptions
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_high.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 8 ++++----
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_high.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 8 ++++----
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 8 ++++----
|
||||
8 files changed, 32 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 49fa8593fe..411f0c03aa 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (enhanced)'
|
||||
+title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index 2853f20607..d9147b2dd0 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 55f985a7a9..6e39a978e5 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -1,15 +1,15 @@
|
||||
# Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (intermediary)'
|
||||
+title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index 7786a26b45..f0a77bccd7 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (minimal)'
|
||||
+title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 49fa8593fe..411f0c03aa 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (enhanced)'
|
||||
+title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index 2853f20607..d9147b2dd0 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: false
|
||||
|
||||
-title: 'DRAFT - ANSSI BP-028 (high)'
|
||||
+title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 50ab1ba0b8..6dcd2b8ef2 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (intermediary)'
|
||||
+title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index d477d34787..54e8cbd5a6 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -1,14 +1,14 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'ANSSI BP-028 (minimal)'
|
||||
+title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
+ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
- A copy of the ANSSI BP-028 can be found at the ANSSI website:
|
||||
+ A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
|
||||
|
||||
selections:
|
||||
|
||||
From c111061d6f1b9c134cc4cff1b712c44f271bcf42 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 5 Feb 2021 11:11:57 +0100
|
||||
Subject: [PATCH 4/5] Fix ANSSI document number for consistency
|
||||
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
|
||||
8 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 411f0c03aa..846ace9002 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index d9147b2dd0..e4db830291 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 6e39a978e5..4454976862 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -4,7 +4,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index f0a77bccd7..cc2cbd8359 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 411f0c03aa..846ace9002 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (enhanced)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index d9147b2dd0..e4db830291 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: false
|
||||
title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index 6dcd2b8ef2..a9e0442257 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (intermediary)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index 54e8cbd5a6..090b571bb6 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -3,7 +3,7 @@ documentation_complete: true
|
||||
title: 'ANSSI-BP-028 (minimal)'
|
||||
|
||||
description: |-
|
||||
- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
|
||||
+ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
From c4b11df5dabe389129f3cbc8a5bd9444fce09850 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 5 Feb 2021 16:05:07 +0100
|
||||
Subject: [PATCH 5/5] Fix single quote in ANSSI name
|
||||
|
||||
Previously the description was enclosed in single quotes, requiring a
|
||||
single quote to be escaped.
|
||||
Now the description is not enclosed in single quotes and there is no
|
||||
need to escape it.
|
||||
---
|
||||
rhel7/profiles/anssi_nt28_enhanced.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_high.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
|
||||
rhel7/profiles/anssi_nt28_minimal.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_enhanced.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_high.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
|
||||
rhel8/profiles/anssi_bp28_minimal.profile | 2 +-
|
||||
8 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
index 846ace9002..bbc11353f3 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_enhanced.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
|
||||
index e4db830291..22efad9c09 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_high.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_high.profile
|
||||
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
index 4454976862..0c43ab8d73 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_intermediary.profile
|
||||
@@ -6,7 +6,7 @@ title: 'ANSSI-BP-028 (intermediary)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
index cc2cbd8359..480333747c 100644
|
||||
--- a/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
+++ b/rhel7/profiles/anssi_nt28_minimal.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
index 846ace9002..bbc11353f3 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_enhanced.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
|
||||
index e4db830291..22efad9c09 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
index a9e0442257..a592031673 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_intermediary.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (intermediary)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
||||
diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
index 090b571bb6..cef8394114 100644
|
||||
--- a/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
+++ b/rhel8/profiles/anssi_bp28_minimal.profile
|
||||
@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
|
||||
description: |-
|
||||
This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
|
||||
|
||||
- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
|
||||
+ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
|
||||
ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
|
||||
|
||||
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
|
@ -0,0 +1,89 @@
|
||||
From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 18 Jan 2021 11:18:43 +0100
|
||||
Subject: [PATCH] Update metadata for a few miminal and intermediary
|
||||
requirements
|
||||
|
||||
---
|
||||
controls/anssi.yml | 20 +++++++++++++++++---
|
||||
1 file changed, 17 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index dec9d68c99..9288ac1663 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -506,7 +506,10 @@ controls:
|
||||
- id: R27
|
||||
title: Disabling service accounts
|
||||
level: intermediary
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ It is difficult to generally identify the system's service accounts.
|
||||
+ Assisting rules could list users which are not disabled for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R28
|
||||
level: enhanced
|
||||
@@ -530,7 +533,10 @@ controls:
|
||||
- id: R30
|
||||
level: minimal
|
||||
title: Applications using PAM
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual review is necessary to decide if the list of applications using PAM is minimal.
|
||||
+ Asssising rules could be created to list all applications using PAM for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R31
|
||||
title: Securing PAM Authentication Network Services
|
||||
@@ -580,6 +586,7 @@ controls:
|
||||
- id: R36
|
||||
title: Rights to access sensitive content files
|
||||
level: intermediary
|
||||
+ automated: yes
|
||||
rules:
|
||||
- file_owner_etc_shadow
|
||||
- file_permissions_etc_shadow
|
||||
@@ -637,7 +644,10 @@ controls:
|
||||
- id: R42
|
||||
level: minimal
|
||||
title: In memory services and daemons
|
||||
- # rules: TBD
|
||||
+ notes: >-
|
||||
+ Manual review is necessary to decide if the list of resident daemons is minimal.
|
||||
+ Asssising rules could be created to list sevices listening on the network for manual review.
|
||||
+ automated: no
|
||||
|
||||
- id: R43
|
||||
title: Hardening and configuring the syslog
|
||||
@@ -709,6 +719,7 @@ controls:
|
||||
- id: R48
|
||||
level: intermediary
|
||||
title: Configuring the local messaging service
|
||||
+ automated: yes
|
||||
rules:
|
||||
- postfix_network_listening_disabled
|
||||
|
||||
@@ -825,6 +836,7 @@ controls:
|
||||
level: intermediary
|
||||
title: Privileges of target sudo users
|
||||
description: The targeted users of a rule should be, as much as possible, non privileged users.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_no_root_target
|
||||
|
||||
@@ -840,12 +852,14 @@ controls:
|
||||
level: intermediary
|
||||
title: Good use of negation in a sudoers file
|
||||
description: The sudoers configuration rules should not involve negation.
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_no_command_negation
|
||||
|
||||
- id: R63
|
||||
level: intermediary
|
||||
title: Explicit arguments in sudo specifications
|
||||
+ automated: yes
|
||||
rules:
|
||||
- sudoers_explicit_command_args
|
||||
|
@ -0,0 +1,352 @@
|
||||
From cbede36c7a4e35cb882c35892cff72f9f190cbf9 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Mon, 8 Feb 2021 15:57:43 +0100
|
||||
Subject: [PATCH 1/5] Add nodev,nosuid,noexec options to /boot in ANSSI
|
||||
kickstart
|
||||
|
||||
---
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 2 +-
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
|
||||
rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +-
|
||||
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
index 1d35bedb91..c381512476 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
||||
@@ -99,7 +99,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
index 73225c2fab..a672b38b83 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
||||
@@ -103,7 +103,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
index 20c4c59a78..88a7cee8ab 100644
|
||||
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
||||
@@ -99,7 +99,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
index 728946ecb7..6f66a3774b 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
||||
@@ -90,7 +90,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
index cd0eff2625..b5c09253a5 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
||||
@@ -94,7 +94,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
index 3a241b06f4..fb785e0c11 100644
|
||||
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
||||
@@ -90,7 +90,7 @@ zerombr
|
||||
clearpart --linux --initlabel
|
||||
|
||||
# Create primary system partitions (required for installs)
|
||||
-part /boot --fstype=xfs --size=512
|
||||
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
part pv.01 --grow --size=1
|
||||
|
||||
# Create a Logical Volume Management (LVM) group (optional)
|
||||
|
||||
From 15be64cc2d6c21b0351bb8d3d1b55b1924be99ca Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Tue, 9 Feb 2021 12:45:34 +0100
|
||||
Subject: [PATCH 2/5] Add mount_option_nodev_nonroot_local_partitions bash
|
||||
remediation
|
||||
|
||||
---
|
||||
.../bash/shared.sh | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7e2b3bd76b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
||||
@@ -0,0 +1,18 @@
|
||||
+# platform = multi_platform_all
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+include_mount_options_functions
|
||||
+
|
||||
+MOUNT_OPTION="nodev"
|
||||
+# Create array of local non-root partitions
|
||||
+readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w")
|
||||
+
|
||||
+for partition_record in "${partitions_records[@]}"; do
|
||||
+ # Get all important information for fstab
|
||||
+ mount_point="$(echo ${partition_record} | cut -d " " -f1)"
|
||||
+ device="$(echo ${partition_record} | cut -d " " -f2)"
|
||||
+ device_type="$(echo ${partition_record} | cut -d " " -f3)"
|
||||
+ # device and device_type will be used only in case when the device doesn't have fstab record
|
||||
+ ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type"
|
||||
+ ensure_partition_is_mounted "$mount_point"
|
||||
+done
|
||||
|
||||
From 36958b72896a69cb580f00a986673c8ae99cb011 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.com>
|
||||
Date: Tue, 9 Feb 2021 12:45:54 +0100
|
||||
Subject: [PATCH 3/5] Add mount_option_nodev_nonroot_local_partitions test
|
||||
scenarios
|
||||
|
||||
---
|
||||
.../tests/correct.pass.sh | 23 +++++++++++++++++
|
||||
.../local_mounted_during_runtime.fail.sh | 19 ++++++++++++++
|
||||
.../tests/missing_multiple_nodev.fail.sh | 23 +++++++++++++++++
|
||||
.../tests/missing_one_nodev.fail.sh | 23 +++++++++++++++++
|
||||
.../tests/remote_without_nodev.pass.sh | 25 +++++++++++++++++++
|
||||
5 files changed, 113 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..8bfac4b80f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2 nodev
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..84cadd6f73
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
||||
@@ -0,0 +1,19 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+mkdir /tmp/test_dir
|
||||
+mount $PARTITION /tmp/test_dir
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..7a09093f46
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c20a98bdcc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+PARTITION="/dev/new_partition1"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
|
||||
+mount_partition "/tmp/partition1"
|
||||
+
|
||||
+PARTITION="/dev/new_partition2"; create_partition
|
||||
+make_fstab_given_partition_line "/tmp/partition2" ext2
|
||||
+mount_partition "/tmp/partition2"
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a95410526f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
||||
@@ -0,0 +1,25 @@
|
||||
+#!/bin/bash
|
||||
+# packages = nfs-utils
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+# Add nodev option to all records in fstab to ensure that test will
|
||||
+# run on environment where everything is set correctly for rule check.
|
||||
+cp /etc/fstab /etc/fstab.backup
|
||||
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
||||
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
||||
+# Remount all partitions. (--all option can't be used because it doesn't
|
||||
+# mount e.g. /boot partition
|
||||
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
||||
+for partition in ${partitions[@]}; do
|
||||
+ mount -o remount "$partition"
|
||||
+done
|
||||
+
|
||||
+mkdir /tmp/testdir
|
||||
+mkdir /tmp/testmount
|
||||
+chown 2 /tmp/testdir
|
||||
+chmod 777 /tmp/testdir
|
||||
+
|
||||
+echo '/tmp/testdir localhost(rw)' > /etc/exports
|
||||
+systemctl restart nfs-server
|
||||
+mount.nfs localhost:/tmp/testdir /tmp/testmount
|
||||
|
||||
From b7bec83d7a3ad186413777f70fe2b5d20e01e56b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 18:32:26 +0100
|
||||
Subject: [PATCH 4/5] Add Ansible for
|
||||
mount_option_nodev_nonroot_local_partitions
|
||||
|
||||
The remediation metadata were inspired by the template mount_options
|
||||
---
|
||||
.../ansible/shared.yml | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..8530604308
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
@@ -0,0 +1,18 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = high
|
||||
+
|
||||
+- name: Ensure non-root local partitions are mounted with nodev option
|
||||
+ mount:
|
||||
+ path: "{{ item.mount }}"
|
||||
+ src: "{{ item.device}}"
|
||||
+ opts: "{{ item.options }},nodev"
|
||||
+ state: "mounted"
|
||||
+ fstype: "{{ item.fstype }}"
|
||||
+ when:
|
||||
+ - "item.mount is match('/\\w')"
|
||||
+ - "item.options is not search('nodev')"
|
||||
+ with_items:
|
||||
+ - "{{ ansible_facts.mounts }}"
|
||||
|
||||
From dab22894ca0798dde27c77704a7fd34d62d77f8f Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 20:29:32 +0100
|
||||
Subject: [PATCH 5/5] Add space before and after variable
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
index 8530604308..2aa9a53e4d 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
- name: Ensure non-root local partitions are mounted with nodev option
|
||||
mount:
|
||||
path: "{{ item.mount }}"
|
||||
- src: "{{ item.device}}"
|
||||
+ src: "{{ item.device }}"
|
||||
opts: "{{ item.options }},nodev"
|
||||
state: "mounted"
|
||||
fstype: "{{ item.fstype }}"
|
File diff suppressed because it is too large
Load Diff
@ -1,57 +1,47 @@
|
||||
# Base name of static rhel6 content tarball
|
||||
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.50
|
||||
Release: 16%{?dist}
|
||||
Version: 0.1.54
|
||||
Release: 5%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
Group: Applications/System
|
||||
License: BSD
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Include tarball with last released rhel6 content
|
||||
Source1: %{_static_rhel6_content}.tar.bz2
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
|
||||
Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
|
||||
Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
|
||||
Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
|
||||
Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
|
||||
# Patch6 already contains typo fix
|
||||
Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
|
||||
Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
|
||||
Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
|
||||
Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
|
||||
Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
|
||||
Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
|
||||
Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
|
||||
Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch
|
||||
Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch
|
||||
Patch15: scap-security-guide-0.1.52-fix_hipaa_description.patch
|
||||
Patch16: scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch
|
||||
Patch17: scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch
|
||||
Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch
|
||||
Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
|
||||
Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch
|
||||
Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch
|
||||
Patch22: scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch
|
||||
Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch
|
||||
Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
|
||||
Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
|
||||
Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
|
||||
Patch27: scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch
|
||||
Patch28: scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch
|
||||
Patch29: scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
|
||||
Patch30: scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
|
||||
Patch31: scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
|
||||
Patch32: scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
|
||||
Patch33: scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
|
||||
# To ease backport, patch 33 also includes changes from #5995
|
||||
Patch34: scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
|
||||
Patch35: scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
|
||||
Patch36: scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
|
||||
Patch37: scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
|
||||
Patch38: scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
|
||||
Patch39: scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
|
||||
Patch40: scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
|
||||
Patch41: scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
|
||||
Patch42: scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
|
||||
Patch1: scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
|
||||
Patch2: scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
|
||||
Patch3: scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
|
||||
Patch4: scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
|
||||
Patch5: scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
|
||||
Patch6: scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
|
||||
Patch7: scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
|
||||
Patch8: scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
|
||||
Patch9: scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
|
||||
Patch10: scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
|
||||
Patch11: scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
|
||||
Patch12: scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
|
||||
Patch13: scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
|
||||
Patch14: scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
|
||||
Patch15: scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
|
||||
Patch16: scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch
|
||||
Patch17: scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
|
||||
Patch18: scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
|
||||
Patch19: scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch
|
||||
Patch20: scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
|
||||
Patch21: scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
|
||||
Patch22: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch
|
||||
Patch23: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch
|
||||
Patch24: scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch
|
||||
Patch25: scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
|
||||
Patch26: scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch
|
||||
Patch27: scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch
|
||||
# Untill ANSSI High profile is shipped we drop the ks too
|
||||
Patch28: remove-ANSSI-high-ks.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -85,7 +75,7 @@ hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -b 1
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
@ -115,27 +105,12 @@ present in %{name} package.
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
%patch34 -p1
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
%patch42 -p1
|
||||
mkdir build
|
||||
|
||||
%build
|
||||
cd build
|
||||
%cmake \
|
||||
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
|
||||
-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
|
||||
@ -148,6 +123,11 @@ cd build
|
||||
cd build
|
||||
%make_install
|
||||
|
||||
# Manually install pre-built rhel6 content
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
|
||||
|
||||
%files
|
||||
%{_datadir}/xml/scap/ssg/content
|
||||
%{_datadir}/%{name}/kickstart
|
||||
@ -163,12 +143,39 @@ cd build
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%changelog
|
||||
* Fri Oct 09 2020 Watson Sato <wsato@redhat.com> - 0.1.50-16
|
||||
- Fix Bash platform in empty remediations (rhbz#1886318)
|
||||
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
|
||||
- Remove Kickstart for not shipped profile (RHBZ#1778188)
|
||||
|
||||
* Tue Oct 06 2020 Watson Sato <wsato@redhat.com> - 0.1.50-15
|
||||
- Add and select zIPL bootloader rules in OSPP (rhbz#1886318)
|
||||
- Add support for remediation platforms
|
||||
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
|
||||
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
|
||||
|
||||
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
|
||||
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
|
||||
|
||||
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
|
||||
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
|
||||
|
||||
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
|
||||
- Update to the latest upstream release (RHBZ#1889344)
|
||||
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
|
||||
|
||||
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
|
||||
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
|
||||
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
|
||||
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
|
||||
|
||||
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
|
||||
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
|
||||
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
|
||||
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
|
||||
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
|
||||
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
|
||||
|
||||
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
|
||||
- Update list of profiles built (RHBZ#1889344)
|
||||
|
||||
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
|
||||
- Update to the latest upstream release (RHBZ#1889344)
|
||||
|
||||
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
|
||||
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
|
||||
|
Loading…
Reference in New Issue
Block a user