import scap-security-guide-0.1.48-7.el8
This commit is contained in:
parent
0ac390339a
commit
41c5266b38
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/scap-security-guide-0.1.46.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.48.tar.bz2
|
||||
|
@ -1 +1 @@
|
||||
05a9c42472d6918e10d25df002ab6b3c3d379016 SOURCES/scap-security-guide-0.1.46.tar.bz2
|
||||
a8f9874a8f1df4c66e45daa6fa6c41d1ac8df934 SOURCES/scap-security-guide-0.1.48.tar.bz2
|
||||
|
@ -1,34 +1,37 @@
|
||||
From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 17 Dec 2018 13:30:06 +0100
|
||||
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8.
|
||||
From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri, 17 Jan 2020 19:01:22 +0100
|
||||
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
|
||||
|
||||
They raise too many errors and fails.
|
||||
Also disable tables for profiles that are not built.
|
||||
---
|
||||
rhel8/CMakeLists.txt | 3 ++-
|
||||
rhel8/CMakeLists.txt | 2 --
|
||||
rhel8/profiles/cjis.profile | 2 +-
|
||||
rhel8/profiles/cui.profile | 2 +-
|
||||
rhel8/profiles/hipaa.profile | 2 +-
|
||||
rhel8/profiles/rhelh-stig.profile | 2 +-
|
||||
rhel8/profiles/rhelh-vpp.profile | 2 +-
|
||||
rhel8/profiles/rht-ccp.profile | 2 +-
|
||||
rhel8/profiles/standard.profile | 2 +-
|
||||
6 files changed, 7 insertions(+), 6 deletions(-)
|
||||
9 files changed, 8 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
|
||||
index 99bccbed7..77f8ccaec 100644
|
||||
index 40f2b2b0f..492a8dae1 100644
|
||||
--- a/rhel8/CMakeLists.txt
|
||||
+++ b/rhel8/CMakeLists.txt
|
||||
@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
|
||||
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
|
||||
|
||||
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
|
||||
+# Standard profile is disabled for RHEL8 as it is not in good shape
|
||||
+#ssg_build_html_nistrefs_table(${PRODUCT} "standard")
|
||||
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
|
||||
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
|
||||
|
||||
# Uncomment when anssi profiles are marked documentation_complete: true
|
||||
#ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal")
|
||||
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
index a7f8c0b16..c460793be 100644
|
||||
index 05ea9cdd6..9c55ac5b1 100644
|
||||
--- a/rhel8/profiles/cjis.profile
|
||||
+++ b/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -48,7 +51,7 @@ index eb62252a4..e8f369708 100644
|
||||
title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
|
||||
|
||||
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
|
||||
index feb98007c..0667f65ed 100644
|
||||
index 8d20f9019..d641b56fe 100644
|
||||
--- a/rhel8/profiles/hipaa.profile
|
||||
+++ b/rhel8/profiles/hipaa.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -57,8 +60,28 @@ index feb98007c..0667f65ed 100644
|
||||
|
||||
title: 'Health Insurance Portability and Accountability Act (HIPAA)'
|
||||
|
||||
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
|
||||
index 1efca5f44..c3d0b0964 100644
|
||||
--- a/rhel8/profiles/rhelh-stig.profile
|
||||
+++ b/rhel8/profiles/rhelh-stig.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
|
||||
|
||||
diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
|
||||
index 2baee6d66..8592d7aaf 100644
|
||||
--- a/rhel8/profiles/rhelh-vpp.profile
|
||||
+++ b/rhel8/profiles/rhelh-vpp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
|
||||
|
||||
diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
|
||||
index 023663b21..8b22bc711 100644
|
||||
index c84579592..164ec98c4 100644
|
||||
--- a/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/rhel8/profiles/rht-ccp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -78,5 +101,5 @@ index a63ae2cf3..da669bb84 100644
|
||||
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||||
|
||||
--
|
||||
2.19.2
|
||||
2.21.1
|
||||
|
||||
|
@ -0,0 +1,21 @@
|
||||
From 3c7332c8245fe3f356557619f59a9218a50e7dfa Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 11 Feb 2020 13:53:46 +0100
|
||||
Subject: [PATCH] Add CCE identifier for openssh-server installed
|
||||
|
||||
---
|
||||
.../guide/services/ssh/package_openssh-server_installed/rule.yml | 1 +
|
||||
2 files changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||||
index ba013ec509..cecd6514fb 100644
|
||||
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||||
@@ -17,6 +17,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: 80215-7
|
||||
+ cce@rhel8: 83303-8
|
||||
|
||||
references:
|
||||
disa: 2418,2420,2421,2422
|
150
SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch
Normal file
150
SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch
Normal file
@ -0,0 +1,150 @@
|
||||
From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Wed, 5 Feb 2020 10:23:44 +0100
|
||||
Subject: [PATCH 1/4] Add and fix few entries of SRG mapping.
|
||||
|
||||
---
|
||||
.../network-uncommon/kernel_module_dccp_disabled/rule.yml | 1 +
|
||||
.../permissions/partitions/mount_option_var_log_nodev/rule.yml | 1 +
|
||||
.../dconf_gnome_screensaver_lock_delay/rule.yml | 2 +-
|
||||
.../dconf_gnome_screensaver_lock_enabled/rule.yml | 2 +-
|
||||
4 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
||||
index 1b42b7233b..4dcbc458d1 100644
|
||||
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
||||
@@ -37,6 +37,7 @@ references:
|
||||
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
|
||||
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
|
||||
cis-csc: 11,14,3,9
|
||||
+ srg: SRG-OS-000096-GPOS-00050
|
||||
|
||||
{{{ complete_ocil_entry_module_disable(module="dccp") }}}
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
||||
index 298f17d2d8..d1ec9f644e 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
||||
@@ -28,6 +28,7 @@ identifiers:
|
||||
references:
|
||||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||||
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
|
||||
+ srg: SRG-OS-000368-GPOS-00154
|
||||
|
||||
platform: machine
|
||||
|
||||
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
|
||||
index b20323c1af..39aa044941 100644
|
||||
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
|
||||
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
|
||||
@@ -34,7 +34,7 @@ references:
|
||||
nist-csf: PR.AC-7
|
||||
ospp: FMT_MOF_EXT.1
|
||||
pcidss: Req-8.1.8
|
||||
- srg: OS-SRG-000029-GPOS-00010
|
||||
+ srg: SRG-OS-000029-GPOS-00010
|
||||
stigid@rhel7: "010110"
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
|
||||
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
|
||||
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
|
||||
index 0380f0149f..7742b8d862 100644
|
||||
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
|
||||
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
|
||||
@@ -35,7 +35,7 @@ references:
|
||||
nist-csf: PR.AC-7
|
||||
ospp: FMT_MOF_EXT.1
|
||||
pcidss: Req-8.1.8
|
||||
- srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011
|
||||
+ srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
|
||||
stigid@rhel7: "010060"
|
||||
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
|
||||
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
|
||||
|
||||
From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 5 Feb 2020 10:33:54 +0100
|
||||
Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227
|
||||
|
||||
The SRG is about configuring the system in accordance with security
|
||||
baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs.
|
||||
---
|
||||
.../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 +
|
||||
.../integrity/crypto/openssl_use_strong_entropy/rule.yml | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
||||
index 4bfb72702b..62b2d01924 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
||||
@@ -25,6 +25,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
ospp: FIA_AFL.1
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil: |-
|
||||
To determine whether the SSH service is configured to use strong entropy seed,
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
index 8a958e93b0..47dc8953e4 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
@@ -25,6 +25,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
ospp: FIA_AFL.1
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil: |-
|
||||
To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
|
||||
|
||||
From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 5 Feb 2020 11:12:02 +0100
|
||||
Subject: [PATCH 3/4] Same SRG mapping as
|
||||
package_subscription-manager_installed
|
||||
|
||||
The package provides an interface for automation of package updates
|
||||
---
|
||||
.../package_dnf-plugin-subscription-manager_installed/rule.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
||||
index 6b0144fd54..8f081d9a3c 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
||||
@@ -20,6 +20,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
|
||||
+ srg: SRG-OS-000366-GPOS-00153
|
||||
|
||||
ocil_clause: 'the package is not installed'
|
||||
|
||||
|
||||
From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 5 Feb 2020 11:14:35 +0100
|
||||
Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item
|
||||
|
||||
From rule's rationale:
|
||||
Binaries in pigz package are compiled without sufficient stack
|
||||
protection and its ADSLR is weak.
|
||||
---
|
||||
.../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
|
||||
index 595b78e768..bb724d916d 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
|
||||
@@ -18,6 +18,9 @@ severity: low
|
||||
identifiers:
|
||||
cce@rhel8: 82397-1
|
||||
|
||||
+references:
|
||||
+ srg: SRG-OS-000433-GPOS-00192
|
||||
+
|
||||
{{{ complete_ocil_entry_package(package="pigz") }}}
|
||||
|
||||
template:
|
23
SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
Normal file
23
SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
Normal file
@ -0,0 +1,23 @@
|
||||
From 716cccfe5a253be61e2b2f46b972ae2153a09ad2 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 4 Feb 2020 17:38:45 +0100
|
||||
Subject: [PATCH] Add rules to configure rsyslog TLS
|
||||
|
||||
---
|
||||
rhel8/profiles/stig.profile | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index d85e18e9d0..821cc26914 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -33,3 +33,9 @@ selections:
|
||||
- encrypt_partitions
|
||||
- sysctl_net_ipv4_tcp_syncookies
|
||||
- clean_components_post_updating
|
||||
+
|
||||
+ # Configure TLS for remote logging
|
||||
+ - package_rsyslog_installed
|
||||
+ - package_rsyslog-gnutls_installed
|
||||
+ - rsyslog_remote_tls
|
||||
+ - rsyslog_remote_tls_cacert
|
184
SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch
Normal file
184
SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch
Normal file
@ -0,0 +1,184 @@
|
||||
From 3d061cb6cb61ef8dc7bccc873bf338041687842e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 3 Feb 2020 21:23:59 +0100
|
||||
Subject: [PATCH] Add Kickstart file for STIG profile
|
||||
|
||||
Based on OSPP KS
|
||||
---
|
||||
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 167 ++++++++++++++++++++++++++
|
||||
1 file changed, 167 insertions(+)
|
||||
create mode 100644 rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
|
||||
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
new file mode 100644
|
||||
index 0000000000..8c970dd6ff
|
||||
--- /dev/null
|
||||
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
|
||||
@@ -0,0 +1,167 @@
|
||||
+# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8
|
||||
+#
|
||||
+# Based on:
|
||||
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
|
||||
+
|
||||
+# Install a fresh new system (optional)
|
||||
+install
|
||||
+
|
||||
+# Specify installation method to use for installation
|
||||
+# To use a different one comment out the 'url' one below, update
|
||||
+# the selected choice with proper options & un-comment it
|
||||
+#
|
||||
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||
+# --url the URL to install from
|
||||
+#
|
||||
+# Example:
|
||||
+#
|
||||
+# url --url=http://192.168.122.1/image
|
||||
+#
|
||||
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||
+# environment machine is to be installed in
|
||||
+#
|
||||
+# Other possible / supported installation methods:
|
||||
+# * install from the first CD-ROM/DVD drive on the system:
|
||||
+#
|
||||
+# cdrom
|
||||
+#
|
||||
+# * install from a directory of ISO images on a local drive:
|
||||
+#
|
||||
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||
+#
|
||||
+# * install from provided NFS server:
|
||||
+#
|
||||
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||
+#
|
||||
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||
+lang en_US.UTF-8
|
||||
+
|
||||
+# Set system keyboard type / layout (required)
|
||||
+keyboard us
|
||||
+
|
||||
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||
+# --onboot enable device at a boot time
|
||||
+# --device device to be activated and / or configured with the network command
|
||||
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||
+# --noipv6 disable IPv6 on this device
|
||||
+#
|
||||
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||
+# "--bootproto=static" must be used. For example:
|
||||
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||
+#
|
||||
+network --onboot yes --bootproto dhcp
|
||||
+
|
||||
+# Set the system's root password (required)
|
||||
+# Plaintext password is: server
|
||||
+# Refer to e.g.
|
||||
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
+# to see how to create encrypted password form for different plaintext password
|
||||
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
|
||||
+
|
||||
+# The selected profile will restrict root login
|
||||
+# Add a user that can login and escalate privileges
|
||||
+# Plaintext password is: admin123
|
||||
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||
+
|
||||
+# Configure firewall settings for the system (optional)
|
||||
+# --enabled reject incoming connections that are not in response to outbound requests
|
||||
+# --ssh allow sshd service through the firewall
|
||||
+firewall --enabled --ssh
|
||||
+
|
||||
+# Set up the authentication options for the system (required)
|
||||
+# --enableshadow enable shadowed passwords by default
|
||||
+# --passalgo hash / crypt algorithm for new passwords
|
||||
+# See the manual page for authconfig for a complete list of possible options.
|
||||
+authconfig --enableshadow --passalgo=sha512
|
||||
+
|
||||
+# State of SELinux on the installed system (optional)
|
||||
+# Defaults to enforcing
|
||||
+selinux --enforcing
|
||||
+
|
||||
+# Set the system time zone (required)
|
||||
+timezone --utc America/New_York
|
||||
+
|
||||
+# Specify how the bootloader should be installed (required)
|
||||
+# Refer to e.g.
|
||||
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
|
||||
+# to see how to create encrypted password form for different plaintext password
|
||||
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
|
||||
+
|
||||
+# Initialize (format) all disks (optional)
|
||||
+zerombr
|
||||
+
|
||||
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||
+#
|
||||
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||
+# --linux erase all Linux partitions
|
||||
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||
+clearpart --linux --initlabel
|
||||
+
|
||||
+# Create primary system partitions (required for installs)
|
||||
+part /boot --fstype=xfs --size=512
|
||||
+part pv.01 --grow --size=1
|
||||
+
|
||||
+# Create a Logical Volume Management (LVM) group (optional)
|
||||
+volgroup VolGroup --pesize=4096 pv.01
|
||||
+
|
||||
+# Create particular logical volumes (optional)
|
||||
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
|
||||
+# Ensure /home Located On Separate Partition
|
||||
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
||||
+# Ensure /tmp Located On Separate Partition
|
||||
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
+# Ensure /var/tmp Located On Separate Partition
|
||||
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
+# Ensure /var Located On Separate Partition
|
||||
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
|
||||
+# Ensure /var/log Located On Separate Partition
|
||||
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
||||
+# Ensure /var/log/audit Located On Separate Partition
|
||||
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
|
||||
+logvol swap --name=swap --vgname=VolGroup --size=2016
|
||||
+
|
||||
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
|
||||
+# content - security policies - on the installed system.This add-on has been enabled by default
|
||||
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
|
||||
+# functionality will automatically be installed. However, by default, no policies are enforced,
|
||||
+# meaning that no checks are performed during or after installation unless specifically configured.
|
||||
+#
|
||||
+# Important
|
||||
+# Applying a security policy is not necessary on all systems. This screen should only be used
|
||||
+# when a specific policy is mandated by your organization rules or government regulations.
|
||||
+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
|
||||
+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
|
||||
+# Values can be optionally enclosed in single quotes (') or double quotes (").
|
||||
+#
|
||||
+# The following keys are recognized by the add-on:
|
||||
+# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
|
||||
+# - If the content-type is scap-security-guide, the add-on will use content provided by the
|
||||
+# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
|
||||
+# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
|
||||
+# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
|
||||
+# xccdf-id - ID of the benchmark you want to use.
|
||||
+# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
|
||||
+# profile - ID of the profile to be applied. Use default to apply the default profile.
|
||||
+# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
|
||||
+# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
|
||||
+#
|
||||
+# The following is an example %addon org_fedora_oscap section which uses content from the
|
||||
+# scap-security-guide on the installation media:
|
||||
+%addon org_fedora_oscap
|
||||
+ content-type = scap-security-guide
|
||||
+ profile = xccdf_org.ssgproject.content_profile_stig
|
||||
+%end
|
||||
+
|
||||
+# Packages selection (%packages section is required)
|
||||
+%packages
|
||||
+
|
||||
+# Require @Base
|
||||
+@Base
|
||||
+
|
||||
+%end # End of %packages section
|
||||
+
|
||||
+# Reboot after the installation is complete (optional)
|
||||
+# --eject attempt to eject CD or DVD media before rebooting
|
||||
+reboot --eject
|
36
SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch
Normal file
36
SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 3d8e47f0bd6fc1ddf8f33b788f52a23f348f24b7 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek
|
||||
<vpolasek@redhat.com>
|
||||
Date: Mon, 3 Feb 2020 11:37:50 +0100
|
||||
Subject: remove rsyslog rules from ospp
|
||||
|
||||
---
|
||||
rhel8/profiles/ospp.profile | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index ef3ced501..fb653de9d 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -178,8 +178,6 @@ selections:
|
||||
- package_audispd-plugins_installed
|
||||
- package_scap-security-guide_installed
|
||||
- package_audit_installed
|
||||
- - package_rsyslog_installed
|
||||
- - package_rsyslog-gnutls_installed
|
||||
- package_gnutls-utils_installed
|
||||
- package_nss-tools_installed
|
||||
|
||||
@@ -391,8 +389,7 @@ selections:
|
||||
- timer_dnf-automatic_enabled
|
||||
|
||||
# Configure TLS for remote logging
|
||||
- - rsyslog_remote_tls
|
||||
- - rsyslog_remote_tls_cacert
|
||||
+ # temporarily dropped
|
||||
|
||||
# Prevent Kerberos use by system daemons
|
||||
- kerberos_disable_no_keytab
|
||||
--
|
||||
2.25.0
|
||||
|
49
SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch
Normal file
49
SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From ccd6b36cbb7ad3046fa09bdbf3aab84b1212d213 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 6 Feb 2020 11:29:31 +0100
|
||||
Subject: [PATCH] Map missing SRG rules
|
||||
|
||||
---
|
||||
.../guide/system/software/gnome/dconf_db_up_to_date/rule.yml | 3 +++
|
||||
.../system-tools/package_gnutls-utils_installed/rule.yml | 1 +
|
||||
.../software/system-tools/package_nss-tools_installed/rule.yml | 1 +
|
||||
3 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
|
||||
index 3017b789f8..3e0b4fa2d1 100644
|
||||
--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
|
||||
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
|
||||
@@ -20,6 +20,9 @@ identifiers:
|
||||
cce@rhel8: 81003-6
|
||||
cce@rhel7: 81004-4
|
||||
|
||||
+references:
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+
|
||||
ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles'
|
||||
|
||||
ocil: |-
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
|
||||
index ebb8ad95f0..1374900664 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
|
||||
@@ -21,6 +21,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
ospp: FMT_SMF_EXT.1
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil_clause: 'the package is not installed'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
|
||||
index 32c9c32893..5d0d679a1a 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
|
||||
@@ -19,6 +19,7 @@ identifiers:
|
||||
|
||||
references:
|
||||
ospp: FMT_SMF_EXT.1
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil_clause: 'the package is not installed'
|
||||
|
@ -0,0 +1,49 @@
|
||||
From 840fb94f9b371f6555536de2c32953c967c1122a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 21 Jan 2020 14:17:00 +0100
|
||||
Subject: [PATCH 1/2] Don't check for path len of logs directory
|
||||
|
||||
The logs are not part of the tarball, nor used to build the content.
|
||||
---
|
||||
tests/ensure_paths_are_short.py | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py
|
||||
index 5d4e27cb91..18d4c662ff 100755
|
||||
--- a/tests/ensure_paths_are_short.py
|
||||
+++ b/tests/ensure_paths_are_short.py
|
||||
@@ -13,6 +13,10 @@ def main():
|
||||
ssg_root = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
|
||||
max_path = ""
|
||||
for dir_, _, files in os.walk(ssg_root):
|
||||
+ # Don't check for path len of log files
|
||||
+ # They are not shipped nor used during build
|
||||
+ if "tests/logs/" in dir_:
|
||||
+ continue
|
||||
for file_ in files:
|
||||
path = os.path.relpath(os.path.join(dir_, file_), ssg_root)
|
||||
if len(path) > len(max_path):
|
||||
|
||||
From 8d29c78efc51cc2c2da0e436b3cd9a2edb5342bc Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 21 Jan 2020 15:05:17 +0100
|
||||
Subject: [PATCH 2/2] Skip only only tests/logs/ from project root
|
||||
|
||||
---
|
||||
tests/ensure_paths_are_short.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py
|
||||
index 18d4c662ff..b9e985fea0 100755
|
||||
--- a/tests/ensure_paths_are_short.py
|
||||
+++ b/tests/ensure_paths_are_short.py
|
||||
@@ -15,7 +15,8 @@ def main():
|
||||
for dir_, _, files in os.walk(ssg_root):
|
||||
# Don't check for path len of log files
|
||||
# They are not shipped nor used during build
|
||||
- if "tests/logs/" in dir_:
|
||||
+ current_relative_path = os.path.relpath(dir_, ssg_root)
|
||||
+ if current_relative_path.startswith("tests/logs/"):
|
||||
continue
|
||||
for file_ in files:
|
||||
path = os.path.relpath(os.path.join(dir_, file_), ssg_root)
|
@ -0,0 +1,593 @@
|
||||
From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Mon, 27 Jan 2020 11:51:53 +0100
|
||||
Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper.
|
||||
|
||||
---
|
||||
.../openssl_use_strong_entropy/rule.yml | 65 +++++++++++++++++++
|
||||
rhel8/profiles/ospp.profile | 1 +
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
3 files changed, 66 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..e9ea8ed338
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
@@ -0,0 +1,65 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+# TODO: The plan is not to need this for RHEL>=8.4
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'OpenSSL uses strong entropy source'
|
||||
+
|
||||
+description: |-
|
||||
+ To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
|
||||
+ save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
|
||||
+ <pre>
|
||||
+ # provide a default -rand /dev/random option to openssl commands that
|
||||
+ # support it
|
||||
+
|
||||
+ # written inefficiently for maximum shell compatibility
|
||||
+ openssl()
|
||||
+ (
|
||||
+ openssl_bin=/usr/bin/openssl
|
||||
+
|
||||
+ case "$*" in
|
||||
+ # if user specified -rand, honor it
|
||||
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
|
||||
+ esac
|
||||
+
|
||||
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
|
||||
+ for i in `$openssl_bin list -commands`; do
|
||||
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
|
||||
+ cmds=" $i $cmds"
|
||||
+ fi
|
||||
+ done
|
||||
+
|
||||
+ case "$cmds" in
|
||||
+ *\ "$1"\ *)
|
||||
+ cmd="$1"; shift
|
||||
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
|
||||
+ esac
|
||||
+
|
||||
+ exec $openssl_bin "$@"
|
||||
+ )
|
||||
+ </pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
|
||||
+ The referenced script is sourced to every login shell, and it transparently adds an option
|
||||
+ that enforces strong entropy to every <tt>openssl</tt> invocation,
|
||||
+ which makes <tt>openssl</tt> more secure by default.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: 82721-2
|
||||
+
|
||||
+references:
|
||||
+ ospp: FIA_AFL.1
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
|
||||
+ make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
|
||||
+ that are included in the rule's description.
|
||||
+
|
||||
+ocil_clause: |-
|
||||
+ there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
|
||||
+
|
||||
+warnings:
|
||||
+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index 63aea526b7..ef3ced5010 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -59,6 +59,7 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_rekey_limit
|
||||
- sshd_use_strong_rng
|
||||
+ - openssl_use_strong_entropy
|
||||
|
||||
# Time Server
|
||||
- chronyd_client_only
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 4cb08794f4..1733872dfa 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -248,6 +248,5 @@
|
||||
CCE-82719-6
|
||||
CCE-82720-4
|
||||
-CCE-82721-2
|
||||
CCE-82722-0
|
||||
CCE-82723-8
|
||||
CCE-82724-6
|
||||
|
||||
From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 27 Jan 2020 19:35:06 +0100
|
||||
Subject: [PATCH 2/6] create checks, remediations,
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 12 +++++++
|
||||
.../openssl_use_strong_entropy/bash/shared.sh | 5 +++
|
||||
.../oval/shared.xml | 34 +++++++++++++++++++
|
||||
.../openssl_use_strong_entropy/rule.yml | 29 +---------------
|
||||
shared/macros.jinja | 34 ++++++++++++++++++-
|
||||
5 files changed, 85 insertions(+), 29 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000000..3ce26d6525
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
@@ -0,0 +1,12 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: "copy a file with shell snippet to configure openssl strong entropy"
|
||||
+ copy:
|
||||
+ dest: /etc/profile.d/cc-config.sh
|
||||
+ content: |+
|
||||
+ {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
|
||||
+
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000000..db5c331ce7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
|
||||
+{{{ openssl_strong_entropy_config_file() }}}
|
||||
+EOM
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000000..b441b7ae6e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
|
||||
@@ -0,0 +1,34 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="openssl_use_strong_entropy" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Configure Openssl to use strong entropy</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>Red Hat Enterprise Linux 8</platform>
|
||||
+ <platform>multi_platform_fedora</platform>
|
||||
+ </affected>
|
||||
+ <description>OpenSSL should be configured to generate random data with strong entropy.</description>
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_openssl_strong_entropy"
|
||||
+ comment="Check that the OpenSSL is configured to generate random data with strong entropy." />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:filehash58_test id="test_openssl_strong_entropy"
|
||||
+ comment="Test if openssl is configured to generate random data with strong entropy" version="1"
|
||||
+ check="all" check_existence="all_exist">
|
||||
+ <ind:object object_ref="object_openssl_strong_entropy"/>
|
||||
+ <ind:state state_ref="state_openssl_strong_entropy"/>
|
||||
+ </ind:filehash58_test>
|
||||
+
|
||||
+ <ind:filehash58_object id="object_openssl_strong_entropy" version="1">
|
||||
+ <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
|
||||
+ <ind:hash_type>SHA-256</ind:hash_type>
|
||||
+ </ind:filehash58_object>
|
||||
+
|
||||
+ <ind:filehash58_state id="state_openssl_strong_entropy" version="1">
|
||||
+ <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
|
||||
+ <ind:hash_type>SHA-256</ind:hash_type>
|
||||
+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
|
||||
+ </ind:filehash58_state>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
index e9ea8ed338..3b01da01af 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
@@ -9,34 +9,7 @@ description: |-
|
||||
To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
|
||||
save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
|
||||
<pre>
|
||||
- # provide a default -rand /dev/random option to openssl commands that
|
||||
- # support it
|
||||
-
|
||||
- # written inefficiently for maximum shell compatibility
|
||||
- openssl()
|
||||
- (
|
||||
- openssl_bin=/usr/bin/openssl
|
||||
-
|
||||
- case "$*" in
|
||||
- # if user specified -rand, honor it
|
||||
- *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
|
||||
- esac
|
||||
-
|
||||
- cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
|
||||
- for i in `$openssl_bin list -commands`; do
|
||||
- if $openssl_bin list -options "$i" | grep -q '^rand '; then
|
||||
- cmds=" $i $cmds"
|
||||
- fi
|
||||
- done
|
||||
-
|
||||
- case "$cmds" in
|
||||
- *\ "$1"\ *)
|
||||
- cmd="$1"; shift
|
||||
- exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
|
||||
- esac
|
||||
-
|
||||
- exec $openssl_bin "$@"
|
||||
- )
|
||||
+ {{{ openssl_strong_entropy_config_file() | indent(4) }}}
|
||||
</pre>
|
||||
|
||||
rationale: |-
|
||||
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||||
index 77f8eb31c7..8a25acc937 100644
|
||||
--- a/shared/macros.jinja
|
||||
+++ b/shared/macros.jinja
|
||||
@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned"
|
||||
|
||||
|
||||
{{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}}
|
||||
- When selecting this rule in a profile,
|
||||
+ When selecting this rule in a profile,
|
||||
{{%- if why %}}
|
||||
make sure that rule with ID <code>{{{ rule_id }}}</code> is selected as well: {{{ why }}}
|
||||
{{%- else %}}
|
||||
rule <code>{{{ rule_id }}}</code> has to be selected as well.
|
||||
{{%- endif %}}
|
||||
{{% endmacro %}}
|
||||
+
|
||||
+{{% macro openssl_strong_entropy_config_file() -%}}
|
||||
+# provide a default -rand /dev/random option to openssl commands that
|
||||
+# support it
|
||||
+
|
||||
+# written inefficiently for maximum shell compatibility
|
||||
+openssl()
|
||||
+(
|
||||
+ openssl_bin=/usr/bin/openssl
|
||||
+
|
||||
+ case "$*" in
|
||||
+ # if user specified -rand, honor it
|
||||
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
|
||||
+ esac
|
||||
+
|
||||
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
|
||||
+ for i in `$openssl_bin list -commands`; do
|
||||
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
|
||||
+ cmds=" $i $cmds"
|
||||
+ fi
|
||||
+ done
|
||||
+
|
||||
+ case "$cmds" in
|
||||
+ *\ "$1"\ *)
|
||||
+ cmd="$1"; shift
|
||||
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
|
||||
+ esac
|
||||
+
|
||||
+ exec $openssl_bin "$@"
|
||||
+)
|
||||
+
|
||||
+{{%- endmacro %}}
|
||||
|
||||
From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 28 Jan 2020 13:42:40 +0100
|
||||
Subject: [PATCH 3/6] add tests
|
||||
|
||||
---
|
||||
.../tests/correct.pass.sh | 34 +++++++++++++++++++
|
||||
.../tests/file_missing.fail.sh | 5 +++
|
||||
.../tests/file_modified.fail.sh | 5 +++
|
||||
3 files changed, 44 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..0bffab3c81
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
|
||||
@@ -0,0 +1,34 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
|
||||
+# provide a default -rand /dev/random option to openssl commands that
|
||||
+# support it
|
||||
+
|
||||
+# written inefficiently for maximum shell compatibility
|
||||
+openssl()
|
||||
+(
|
||||
+ openssl_bin=/usr/bin/openssl
|
||||
+
|
||||
+ case "$*" in
|
||||
+ # if user specified -rand, honor it
|
||||
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
|
||||
+ esac
|
||||
+
|
||||
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
|
||||
+ for i in `$openssl_bin list -commands`; do
|
||||
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
|
||||
+ cmds=" $i $cmds"
|
||||
+ fi
|
||||
+ done
|
||||
+
|
||||
+ case "$cmds" in
|
||||
+ *\ "$1"\ *)
|
||||
+ cmd="$1"; shift
|
||||
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
|
||||
+ esac
|
||||
+
|
||||
+ exec $openssl_bin "$@"
|
||||
+)
|
||||
+EOM
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..c1d526902c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+rm -f /etc/profile.d/cc-config.sh
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..313d14a37f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
+
|
||||
+echo "wrong data" > /etc/profile.d/cc-config.sh
|
||||
|
||||
From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 29 Jan 2020 11:12:46 +0100
|
||||
Subject: [PATCH 4/6] remove blank=true from jinja macro as rhel6 and rhel7 do
|
||||
not support it
|
||||
|
||||
---
|
||||
.../crypto/openssl_use_strong_entropy/ansible/shared.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
index 3ce26d6525..bdc530f9f5 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
@@ -8,5 +8,5 @@
|
||||
copy:
|
||||
dest: /etc/profile.d/cc-config.sh
|
||||
content: |+
|
||||
- {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
|
||||
+ {{{ openssl_strong_entropy_config_file()|indent(8) }}}
|
||||
|
||||
|
||||
From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 30 Jan 2020 14:25:31 +0100
|
||||
Subject: [PATCH 5/6] reword rationale, change file name
|
||||
|
||||
from cc-config.sh to openssl-rand.sh
|
||||
change title of oval
|
||||
---
|
||||
.../openssl_use_strong_entropy/ansible/shared.yml | 2 +-
|
||||
.../openssl_use_strong_entropy/bash/shared.sh | 2 +-
|
||||
.../openssl_use_strong_entropy/oval/shared.xml | 11 ++++-------
|
||||
.../crypto/openssl_use_strong_entropy/rule.yml | 14 +++++---------
|
||||
.../tests/correct.pass.sh | 2 +-
|
||||
.../tests/file_missing.fail.sh | 2 +-
|
||||
.../tests/file_modified.fail.sh | 2 +-
|
||||
7 files changed, 14 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
index bdc530f9f5..6ee232892d 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
@@ -6,7 +6,7 @@
|
||||
|
||||
- name: "copy a file with shell snippet to configure openssl strong entropy"
|
||||
copy:
|
||||
- dest: /etc/profile.d/cc-config.sh
|
||||
+ dest: /etc/profile.d/openssl-rand.sh
|
||||
content: |+
|
||||
{{{ openssl_strong_entropy_config_file()|indent(8) }}}
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
|
||||
index db5c331ce7..d8c9935005 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
|
||||
@@ -1,5 +1,5 @@
|
||||
# platform = Red Hat Enterprise Linux 8
|
||||
|
||||
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
|
||||
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
|
||||
{{{ openssl_strong_entropy_config_file() }}}
|
||||
EOM
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
|
||||
index b441b7ae6e..847754f36d 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
|
||||
@@ -1,11 +1,8 @@
|
||||
<def-group>
|
||||
<definition class="compliance" id="openssl_use_strong_entropy" version="1">
|
||||
<metadata>
|
||||
- <title>Configure Openssl to use strong entropy</title>
|
||||
- <affected family="unix">
|
||||
- <platform>Red Hat Enterprise Linux 8</platform>
|
||||
- <platform>multi_platform_fedora</platform>
|
||||
- </affected>
|
||||
+ <title>Configure OpenSSL to use strong entropy</title>
|
||||
+ {{{- oval_affected(products) }}}
|
||||
<description>OpenSSL should be configured to generate random data with strong entropy.</description>
|
||||
</metadata>
|
||||
<criteria>
|
||||
@@ -22,12 +19,12 @@
|
||||
</ind:filehash58_test>
|
||||
|
||||
<ind:filehash58_object id="object_openssl_strong_entropy" version="1">
|
||||
- <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
|
||||
+ <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
|
||||
<ind:hash_type>SHA-256</ind:hash_type>
|
||||
</ind:filehash58_object>
|
||||
|
||||
<ind:filehash58_state id="state_openssl_strong_entropy" version="1">
|
||||
- <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
|
||||
+ <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
|
||||
<ind:hash_type>SHA-256</ind:hash_type>
|
||||
<ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
|
||||
</ind:filehash58_state>
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
index 3b01da01af..dd82336532 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source'
|
||||
|
||||
description: |-
|
||||
To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
|
||||
- save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
|
||||
+ save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
|
||||
<pre>
|
||||
{{{ openssl_strong_entropy_config_file() | indent(4) }}}
|
||||
</pre>
|
||||
|
||||
rationale: |-
|
||||
- The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
|
||||
- The referenced script is sourced to every login shell, and it transparently adds an option
|
||||
- that enforces strong entropy to every <tt>openssl</tt> invocation,
|
||||
- which makes <tt>openssl</tt> more secure by default.
|
||||
+ This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
|
||||
|
||||
severity: medium
|
||||
-
|
||||
identifiers:
|
||||
cce@rhel8: 82721-2
|
||||
|
||||
@@ -27,12 +23,12 @@ references:
|
||||
ospp: FIA_AFL.1
|
||||
|
||||
ocil: |-
|
||||
- To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
|
||||
- make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
|
||||
+ To determine whether the <tt>openssl</tt> wrapper is configured correctly,
|
||||
+ make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
|
||||
that are included in the rule's description.
|
||||
|
||||
ocil_clause: |-
|
||||
- there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
|
||||
+ there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description
|
||||
|
||||
warnings:
|
||||
- general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
|
||||
index 0bffab3c81..d7f3ce8c87 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
|
||||
@@ -2,7 +2,7 @@
|
||||
# platform = Red Hat Enterprise Linux 8
|
||||
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
|
||||
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
|
||||
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
|
||||
# provide a default -rand /dev/random option to openssl commands that
|
||||
# support it
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
|
||||
index c1d526902c..64a580da91 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
|
||||
@@ -2,4 +2,4 @@
|
||||
# platform = Red Hat Enterprise Linux 8
|
||||
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
|
||||
-rm -f /etc/profile.d/cc-config.sh
|
||||
+rm -f /etc/profile.d/openssl-rand.sh
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
|
||||
index 313d14a37f..2c812e874b 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
|
||||
@@ -2,4 +2,4 @@
|
||||
# platform = Red Hat Enterprise Linux 8
|
||||
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
|
||||
-echo "wrong data" > /etc/profile.d/cc-config.sh
|
||||
+echo "wrong data" > /etc/profile.d/openssl-rand.sh
|
||||
|
||||
From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Fri, 31 Jan 2020 16:34:48 +0100
|
||||
Subject: [PATCH 6/6] Rule and remediation wording improvements.
|
||||
|
||||
---
|
||||
.../openssl_use_strong_entropy/ansible/shared.yml | 3 +--
|
||||
.../crypto/openssl_use_strong_entropy/rule.yml | 15 ++++++++++-----
|
||||
2 files changed, 11 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
index 6ee232892d..25afb8e27f 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
|
||||
@@ -4,9 +4,8 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
-- name: "copy a file with shell snippet to configure openssl strong entropy"
|
||||
+- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy"
|
||||
copy:
|
||||
dest: /etc/profile.d/openssl-rand.sh
|
||||
content: |+
|
||||
{{{ openssl_strong_entropy_config_file()|indent(8) }}}
|
||||
-
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
index dd82336532..8a958e93b0 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
||||
@@ -6,14 +6,18 @@ prodtype: rhel8
|
||||
title: 'OpenSSL uses strong entropy source'
|
||||
|
||||
description: |-
|
||||
- To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
|
||||
- save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
|
||||
+ By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.
|
||||
+ A way to configure OpenSSL to always use a strong source is to setup a wrapper that
|
||||
+ defines a shell function that shadows the actual <tt>openssl</tt> binary,
|
||||
+ and that ensures that the <tt>-rand /dev/random</tt> option is added to every <tt>openssl</tt> invocation.
|
||||
+
|
||||
+ To do so, place the following shell snippet exactly as-is to <tt>/etc/profile.d/openssl-rand.sh</tt>:
|
||||
<pre>
|
||||
{{{ openssl_strong_entropy_config_file() | indent(4) }}}
|
||||
</pre>
|
||||
|
||||
rationale: |-
|
||||
- This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
|
||||
+ This rule ensures that <tt>openssl</tt> invocations always uses SP800-90A compliant random number generator as a default behavior.
|
||||
|
||||
severity: medium
|
||||
identifiers:
|
||||
@@ -23,8 +27,9 @@ references:
|
||||
ospp: FIA_AFL.1
|
||||
|
||||
ocil: |-
|
||||
- To determine whether the <tt>openssl</tt> wrapper is configured correctly,
|
||||
- make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
|
||||
+ To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
|
||||
+ uses a SP800-90A compliant entropy source,
|
||||
+ make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contents exactly match those
|
||||
that are included in the rule's description.
|
||||
|
||||
ocil_clause: |-
|
1951
SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch
Normal file
1951
SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch
Normal file
File diff suppressed because it is too large
Load Diff
855
SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch
Normal file
855
SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch
Normal file
@ -0,0 +1,855 @@
|
||||
From e826795667e319a336ccbfe0919c044766801cb8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Fri, 17 Jan 2020 10:49:36 +0100
|
||||
Subject: [PATCH 1/7] Added lineinfile shell assignment support to our macros.
|
||||
|
||||
---
|
||||
shared/macros-ansible.jinja | 20 +++++++++++++++++++
|
||||
shared/macros-bash.jinja | 26 +++++++++++++++++++++++++
|
||||
shared/macros-oval.jinja | 39 ++++++++++++++++++++++++++++++++-----
|
||||
3 files changed, 80 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 3e4a441225..c42a5156ce 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -141,6 +141,26 @@
|
||||
{{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="^[#\s]*Match") }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
+{{#
|
||||
+ High level macro to set a value in a shell-related file that contains var assignments. This
|
||||
+ takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
|
||||
+ in the configuration file, and the value to set it to. We specify a case
|
||||
+ sensitive comparison in the prefix since this is used to deduplicate since
|
||||
+ We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
|
||||
+#}}
|
||||
+{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
|
||||
+{{% if no_quotes -%}}
|
||||
+{{%- else -%}}
|
||||
+{{%- set quotes = "\"'" -%}}
|
||||
+ {{% if "$" in value %}}
|
||||
+ {{% set value = '"%s"' % value %}}
|
||||
+ {{% else %}}
|
||||
+ {{% set value = "'%s'" % value %}}
|
||||
+ {{% endif %}}
|
||||
+{{%- endif -%}}
|
||||
+{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
{{#
|
||||
High level macro to set a command in tmux configuration file /etc/tmux.conf.
|
||||
Parameters:
|
||||
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||
index 43200bdd8a..6c0bb2facc 100644
|
||||
--- a/shared/macros-bash.jinja
|
||||
+++ b/shared/macros-bash.jinja
|
||||
@@ -1,5 +1,31 @@
|
||||
{{# ##### High level macros ##### #}}
|
||||
|
||||
+{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
|
||||
+{{% if no_quotes -%}}
|
||||
+ {{% if "$" in value %}}
|
||||
+ {{% set value = '%s' % value.replace("$", "\\$") %}}
|
||||
+ {{% endif %}}
|
||||
+{{%- else -%}}
|
||||
+ {{% if "$" in value %}}
|
||||
+ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
|
||||
+ {{% else %}}
|
||||
+ {{% set value = "'%s'" % value %}}
|
||||
+ {{% endif %}}
|
||||
+{{%- endif -%}}
|
||||
+{{{ set_config_file(
|
||||
+ path=path,
|
||||
+ parameter=parameter,
|
||||
+ value=value,
|
||||
+ create=true,
|
||||
+ insert_after="",
|
||||
+ insert_before="^Match",
|
||||
+ insensitive=false,
|
||||
+ separator="=",
|
||||
+ separator_regex="=",
|
||||
+ prefix_regex="^\s*")
|
||||
+ }}}
|
||||
+{{%- endmacro -%}}
|
||||
+
|
||||
{{%- macro bash_sshd_config_set(parameter, value) -%}}
|
||||
{{{ set_config_file(
|
||||
path="/etc/ssh/sshd_config",
|
||||
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
||||
index 2049a24d6e..696cf36db0 100644
|
||||
--- a/shared/macros-oval.jinja
|
||||
+++ b/shared/macros-oval.jinja
|
||||
@@ -17,8 +17,9 @@
|
||||
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
||||
- section (String): If set, the parameter will be checked only within the given section defined by [section].
|
||||
+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
|
||||
#}}
|
||||
-{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='') -%}}
|
||||
+{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
<metadata>
|
||||
@@ -60,7 +61,7 @@
|
||||
</definition>
|
||||
{{{ oval_line_in_file_test(path, parameter) }}}
|
||||
{{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}}
|
||||
- {{{ oval_line_in_file_state(value, multi_value) }}}
|
||||
+ {{{ oval_line_in_file_state(value, multi_value, quotes) }}}
|
||||
{{%- if missing_parameter_pass %}}
|
||||
{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}}
|
||||
{{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}}
|
||||
@@ -173,12 +174,21 @@
|
||||
This macro can take two parameters:
|
||||
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
||||
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
|
||||
+ For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
|
||||
#}}
|
||||
-{{%- macro oval_line_in_file_state(value='', multi_value='') -%}}
|
||||
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
|
||||
+{{%- set regex = value -%}}
|
||||
+{{%- if quotes != "" %}}
|
||||
+{{%- if "\\1" in value > 0 %}}
|
||||
+{{{ raise("The regex for matching '%s' already references capturing groups, which doesn't go well with quoting that adds a capturing group to the beginning." % value) }}}
|
||||
+{{%- endif %}}
|
||||
+{{%- set regex = "((?:%s)?)%s\\1" % ("|".join(quotes), regex) -%}}
|
||||
+{{%- endif %}}
|
||||
{{%- if multi_value %}}
|
||||
-{{%- set regex = "^.*\\b"+value+"\\b.*$" -%}}
|
||||
+{{%- set regex = "^.*\\b"+regex+"\\b.*$" -%}}
|
||||
{{%- else %}}
|
||||
-{{%- set regex = "^"+value+"$" -%}}
|
||||
+{{%- set regex = "^"+regex+"$" -%}}
|
||||
{{%- endif %}}
|
||||
<ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
|
||||
<ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
|
||||
@@ -232,6 +242,25 @@
|
||||
{{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
+{{#
|
||||
+ High level macro to check if a particular shell variable is set.
|
||||
+ This macro can take five parameters:
|
||||
+ - path (String): Path to the file.
|
||||
+ - parameter (String): The shell variable name.
|
||||
+ - value (String): The variable value WITHOUT QUOTES.
|
||||
+ - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||
+ - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
||||
+#}}
|
||||
+{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
|
||||
+{{% if no_quotes -%}}
|
||||
+{{%- set quotes = "" -%}}
|
||||
+{{%- else -%}}
|
||||
+{{%- set quotes = "\"'" -%}}
|
||||
+{{%- endif -%}}
|
||||
+{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}}
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
{{#
|
||||
High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
|
||||
This function can take five parameters:
|
||||
|
||||
From a7281779e424a0b481e1b08ca01d2ebd1af2e834 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Fri, 17 Jan 2020 10:50:16 +0100
|
||||
Subject: [PATCH 2/7] Added tests for shell lineinfile.
|
||||
|
||||
---
|
||||
tests/test_macros_oval.py | 142 ++++++++++++++++++
|
||||
.../unit/bash/test_set_config_file.bats.jinja | 56 +++++++
|
||||
2 files changed, 198 insertions(+)
|
||||
|
||||
diff --git a/tests/test_macros_oval.py b/tests/test_macros_oval.py
|
||||
index 65a88ba7b4..8acae8548b 100755
|
||||
--- a/tests/test_macros_oval.py
|
||||
+++ b/tests/test_macros_oval.py
|
||||
@@ -896,6 +896,148 @@ def main():
|
||||
"[vehicle]\nspeed =\n100",
|
||||
"false"
|
||||
)
|
||||
+ tester.test(
|
||||
+ "SHELL commented out",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value='/bin/bash',
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ "# SHELL=/bin/bash\n",
|
||||
+ "false"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL correct",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value='/bin/bash',
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ " SHELL=/bin/bash\n",
|
||||
+ "true"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL single-quoted",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value='/bin"/bash',
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ " SHELL='/bin\"/bash'\n",
|
||||
+ "true"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL double-quoted",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value=' /bin/bash',
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ """ SHELL=" /bin/bash"\n""",
|
||||
+ "true"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL unwanted double-quoted",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value=' /bin/bash',
|
||||
+ no_quotes=true,
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ """ SHELL=" /bin/bash"\n""",
|
||||
+ "false"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL unwanted single-quoted",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value='/bin"/bash',
|
||||
+ no_quotes=true,
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ " SHELL='/bin\"/bash'\n",
|
||||
+ "false"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL double-quoted spaced",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value='/bin/bash',
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ """ SHELL= "/bin/bash"\n""",
|
||||
+ "false"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL bad_var_case",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value='/bin/bash',
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ """ Shell="/bin/bash"\n""",
|
||||
+ "false"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL bad_value_case",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value='/bin/bash',
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ """ SHELL="/bin/Bash"\n""",
|
||||
+ "false"
|
||||
+ )
|
||||
+ tester.test(
|
||||
+ "SHELL badly quoted",
|
||||
+ r"""{{{ oval_check_shell_file(
|
||||
+ path='CONFIG_FILE',
|
||||
+ parameter='SHELL',
|
||||
+ value='/bin/bash',
|
||||
+ missing_parameter_pass=false,
|
||||
+ application='',
|
||||
+ multi_value=false,
|
||||
+ missing_config_file_fail=false,
|
||||
+ ) }}}""",
|
||||
+ """ SHELL="/bin/bash'\n""",
|
||||
+ "false"
|
||||
+ )
|
||||
|
||||
tester.finish()
|
||||
|
||||
diff --git a/tests/unit/bash/test_set_config_file.bats.jinja b/tests/unit/bash/test_set_config_file.bats.jinja
|
||||
index 3dc2c721d4..4126d0440e 100644
|
||||
--- a/tests/unit/bash/test_set_config_file.bats.jinja
|
||||
+++ b/tests/unit/bash/test_set_config_file.bats.jinja
|
||||
@@ -126,3 +126,59 @@ function call_set_config_file {
|
||||
|
||||
rm "$tmp_file"
|
||||
}
|
||||
+
|
||||
+@test "Basic Bash remediation" {
|
||||
+ tmp_file="$(mktemp)"
|
||||
+ printf "%s\n" "something=foo" > "$tmp_file"
|
||||
+ expected_output="something='va lue'\n"
|
||||
+
|
||||
+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue") | indent(4) }}}
|
||||
+
|
||||
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
|
||||
+ echo "$output"
|
||||
+ [ "$status" -eq 0 ]
|
||||
+
|
||||
+ rm "$tmp_file"
|
||||
+}
|
||||
+
|
||||
+@test "Variable remediation - preserve dollar and use double quotes" {
|
||||
+ tmp_file="$(mktemp)"
|
||||
+ printf "%s\n" "something=bar" > "$tmp_file"
|
||||
+ expected_output='something="$value"'"\n"
|
||||
+
|
||||
+ {{{ bash_shell_file_set("$tmp_file", "something", '$value') | indent(4) }}}
|
||||
+
|
||||
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
|
||||
+ echo "$output"
|
||||
+ [ "$status" -eq 0 ]
|
||||
+
|
||||
+ rm "$tmp_file"
|
||||
+}
|
||||
+
|
||||
+@test "Basic Bash remediation - don't quote" {
|
||||
+ tmp_file="$(mktemp)"
|
||||
+ printf "%s\n" "something=foo" > "$tmp_file"
|
||||
+ expected_output="something=va lue\n"
|
||||
+
|
||||
+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue", no_quotes=true) | indent(4) }}}
|
||||
+
|
||||
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
|
||||
+ echo "$output"
|
||||
+ [ "$status" -eq 0 ]
|
||||
+
|
||||
+ rm "$tmp_file"
|
||||
+}
|
||||
+
|
||||
+@test "Variable remediation - don't quote" {
|
||||
+ tmp_file="$(mktemp)"
|
||||
+ printf "%s\n" "something=bar" > "$tmp_file"
|
||||
+ expected_output='something=$value'"\n"
|
||||
+
|
||||
+ {{{ bash_shell_file_set("$tmp_file", "something", '$value', no_quotes=true) | indent(4) }}}
|
||||
+
|
||||
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
|
||||
+ echo "$output"
|
||||
+ [ "$status" -eq 0 ]
|
||||
+
|
||||
+ rm "$tmp_file"
|
||||
+}
|
||||
|
||||
From 347e7ab345a35fc3045a886d883d8efe7d9820b2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Fri, 17 Jan 2020 10:51:02 +0100
|
||||
Subject: [PATCH 3/7] Added the shell lineinfile template.
|
||||
|
||||
---
|
||||
docs/manual/developer_guide.adoc | 21 +++++++++++++++++
|
||||
.../template_ANSIBLE_shell_lineinfile | 21 +++++++++++++++++
|
||||
.../templates/template_BASH_shell_lineinfile | 6 +++++
|
||||
.../templates/template_OVAL_shell_lineinfile | 10 ++++++++
|
||||
ssg/templates.py | 23 +++++++++++++++++++
|
||||
5 files changed, 81 insertions(+)
|
||||
create mode 100644 shared/templates/template_ANSIBLE_shell_lineinfile
|
||||
create mode 100644 shared/templates/template_BASH_shell_lineinfile
|
||||
create mode 100644 shared/templates/template_OVAL_shell_lineinfile
|
||||
|
||||
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
|
||||
index aa0a7491c3..b5d22213b7 100644
|
||||
--- a/docs/manual/developer_guide.adoc
|
||||
+++ b/docs/manual/developer_guide.adoc
|
||||
@@ -1591,6 +1591,27 @@ service_enabled::
|
||||
** *daemonname* - name of the daemon. This argument is optional. If *daemonname* is not specified it means the name of the daemon is the same as the name of service.
|
||||
* Languages: Ansible, Bash, OVAL, Puppet
|
||||
|
||||
+shell_lineinfile::
|
||||
+* Checks shell variable assignments in files.
|
||||
+Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered.
|
||||
+The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string.
|
||||
+* Parameters:
|
||||
+** *path* - What file to check.
|
||||
+** *parameter* - name of the shell variable, eg. `SHELL`.
|
||||
+** *value* - value of the SSH configuration option specified by *parameter*, eg. `"/bin/bash"`. Don't pass extra shell quoting - that will be handled on the lower level.
|
||||
+** *no_quotes* - If set to `"true"`, the assigned value has to be without quotes during the check and remediation doesn't quote assignments either.
|
||||
+** *missing_parameter_pass* - If set to `"true"` the OVAL check will pass if the parameter is not present in the target file.
|
||||
+* Languages: Ansible, Bash, OVAL
|
||||
+* Example:
|
||||
+A template invocation specifying that parameter `HISTSIZE` should be set to value `500` in `/etc/profile` will produce a check that passes if any of the following lines are present in `/etc/profile`:
|
||||
+** `HISTSIZE=500`
|
||||
+** `HISTSIZE="500"`
|
||||
+** `HISTSIZE='500'`
|
||||
++
|
||||
+The remediation would insert one of the quoted forms if the line was not present.
|
||||
++
|
||||
+If the `no_quotes` would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present.
|
||||
+
|
||||
sshd_lineinfile::
|
||||
* Checks SSH server configuration items in `/etc/ssh/sshd_config`.
|
||||
* Parameters:
|
||||
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
|
||||
new file mode 100644
|
||||
index 0000000000..7d0a3ebcbd
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
|
||||
@@ -0,0 +1,21 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
|
||||
+{{%- if NO_QUOTES -%}}
|
||||
+ {{% set msg = "Setting unquoted " ~ msg %}}
|
||||
+{{%- else -%}}
|
||||
+ {{% set msg = "Setting shell-quoted " ~ msg %}}
|
||||
+{{%- endif -%}}
|
||||
+{{{
|
||||
+ ansible_shell_set(
|
||||
+ msg=msg,
|
||||
+ path=PATH,
|
||||
+ parameter=PARAMETER,
|
||||
+ value=VALUE,
|
||||
+ no_quotes=NO_QUOTES
|
||||
+ )
|
||||
+}}}
|
||||
+
|
||||
diff --git a/shared/templates/template_BASH_shell_lineinfile b/shared/templates/template_BASH_shell_lineinfile
|
||||
new file mode 100644
|
||||
index 0000000000..6bf869d62b
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/template_BASH_shell_lineinfile
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+{{{ bash_shell_file_set(path=PATH, parameter=PARAMETER, value=VALUE, no_quotes=NO_QUOTES) }}}
|
||||
diff --git a/shared/templates/template_OVAL_shell_lineinfile b/shared/templates/template_OVAL_shell_lineinfile
|
||||
new file mode 100644
|
||||
index 0000000000..fd05b6b568
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/template_OVAL_shell_lineinfile
|
||||
@@ -0,0 +1,10 @@
|
||||
+{{{
|
||||
+oval_check_shell_file(
|
||||
+ path=PATH,
|
||||
+ parameter=PARAMETER,
|
||||
+ value=VALUE,
|
||||
+ no_quotes=NO_QUOTES,
|
||||
+ missing_parameter_pass=MISSING_PARAMETER_PASS
|
||||
+)
|
||||
+}}}
|
||||
+
|
||||
diff --git a/ssg/templates.py b/ssg/templates.py
|
||||
index f4f56c94e6..c2c82e6c29 100644
|
||||
--- a/ssg/templates.py
|
||||
+++ b/ssg/templates.py
|
||||
@@ -290,6 +290,29 @@ def sshd_lineinfile(data, lang):
|
||||
return data
|
||||
|
||||
|
||||
+@template(["ansible", "bash", "oval"])
|
||||
+def shell_lineinfile(data, lang):
|
||||
+ value = data["value"]
|
||||
+ if value[0] in ("'", '"') and value[0] == value[1]:
|
||||
+ msg = (
|
||||
+ "Value >>{value}<< of shell variable '{varname}' "
|
||||
+ "has been supplied with quotes, please fix the content - "
|
||||
+ "shell quoting is handled by the check/remediation code."
|
||||
+ .format(value=value, varname=data["parameter"]))
|
||||
+ raise Exception(msg)
|
||||
+ missing_parameter_pass = data.get("missing_parameter_pass", "false")
|
||||
+ if missing_parameter_pass == "true":
|
||||
+ missing_parameter_pass = True
|
||||
+ elif missing_parameter_pass == "false":
|
||||
+ missing_parameter_pass = False
|
||||
+ data["missing_parameter_pass"] = missing_parameter_pass
|
||||
+ no_quotes = False
|
||||
+ if data["no_quotes"] == "true":
|
||||
+ no_quotes = True
|
||||
+ data["no_quotes"] = no_quotes
|
||||
+ return data
|
||||
+
|
||||
+
|
||||
@template(["ansible", "bash", "oval"])
|
||||
def timer_enabled(data, lang):
|
||||
if "packagename" not in data:
|
||||
|
||||
From ac5d1a8ad511e828e652ce1ca58b06c18f8c083b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Tue, 21 Jan 2020 14:13:01 +0100
|
||||
Subject: [PATCH 4/7] Fixed the templated string evaluation.
|
||||
|
||||
---
|
||||
ssg/templates.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ssg/templates.py b/ssg/templates.py
|
||||
index c2c82e6c29..873f543f41 100644
|
||||
--- a/ssg/templates.py
|
||||
+++ b/ssg/templates.py
|
||||
@@ -293,7 +293,7 @@ def sshd_lineinfile(data, lang):
|
||||
@template(["ansible", "bash", "oval"])
|
||||
def shell_lineinfile(data, lang):
|
||||
value = data["value"]
|
||||
- if value[0] in ("'", '"') and value[0] == value[1]:
|
||||
+ if value[0] in ("'", '"') and value[0] == value[-1]:
|
||||
msg = (
|
||||
"Value >>{value}<< of shell variable '{varname}' "
|
||||
"has been supplied with quotes, please fix the content - "
|
||||
|
||||
From 8589574707c63eb3ac4c56674326b70dacfd2ee4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Tue, 21 Jan 2020 14:46:39 +0100
|
||||
Subject: [PATCH 5/7] Fixed jinja macros
|
||||
|
||||
- Fixed macro descriptions.
|
||||
- Fixed Ansible insert_after.
|
||||
---
|
||||
shared/macros-ansible.jinja | 18 ++++++++----------
|
||||
shared/macros-bash.jinja | 2 +-
|
||||
shared/macros-oval.jinja | 7 +++----
|
||||
3 files changed, 12 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index c42a5156ce..81e18e2d5c 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -143,22 +143,20 @@
|
||||
|
||||
{{#
|
||||
High level macro to set a value in a shell-related file that contains var assignments. This
|
||||
- takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
|
||||
- in the configuration file, and the value to set it to. We specify a case
|
||||
- sensitive comparison in the prefix since this is used to deduplicate since
|
||||
+ takes these values:
|
||||
+ - msg (the name for the Ansible task),
|
||||
+ - path to the file,
|
||||
+ - parameter to set in the configuration file, and
|
||||
+ - value to set it to.
|
||||
We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
|
||||
#}}
|
||||
{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
|
||||
{{% if no_quotes -%}}
|
||||
{{%- else -%}}
|
||||
-{{%- set quotes = "\"'" -%}}
|
||||
- {{% if "$" in value %}}
|
||||
- {{% set value = '"%s"' % value %}}
|
||||
- {{% else %}}
|
||||
- {{% set value = "'%s'" % value %}}
|
||||
- {{% endif %}}
|
||||
+{{# Use the double quotes in all cases, as the underlying macro single-quotes the assignment line. #}}
|
||||
+{{% set value = '"%s"' % value %}}
|
||||
{{%- endif -%}}
|
||||
-{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
|
||||
+{{{ ansible_set_config_file(msg, path, parameter, separator="=", separator_regex="=", value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^# " ~ parameter) }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
{{#
|
||||
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||
index 6c0bb2facc..dc7fd25588 100644
|
||||
--- a/shared/macros-bash.jinja
|
||||
+++ b/shared/macros-bash.jinja
|
||||
@@ -18,7 +18,7 @@
|
||||
value=value,
|
||||
create=true,
|
||||
insert_after="",
|
||||
- insert_before="^Match",
|
||||
+ insert_before="^#\s*" ~ parameter,
|
||||
insensitive=false,
|
||||
separator="=",
|
||||
separator_regex="=",
|
||||
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
||||
index 696cf36db0..cfa9de9d2d 100644
|
||||
--- a/shared/macros-oval.jinja
|
||||
+++ b/shared/macros-oval.jinja
|
||||
@@ -233,7 +233,7 @@
|
||||
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
||||
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
||||
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
|
||||
|
||||
We specify a case insensitive comparison in the prefix because
|
||||
sshd_config has case-insensitive parameters (but case-sensitive values).
|
||||
@@ -250,7 +250,7 @@
|
||||
- value (String): The variable value WITHOUT QUOTES.
|
||||
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
||||
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
|
||||
#}}
|
||||
{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
|
||||
{{% if no_quotes -%}}
|
||||
@@ -268,8 +268,7 @@
|
||||
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
||||
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
||||
-
|
||||
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
|
||||
#}}
|
||||
{{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
|
||||
{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
|
||||
|
||||
From af0e3ba8ef2d5b53dcffed4432ec0415a81ab2bc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Wed, 22 Jan 2020 11:37:39 +0100
|
||||
Subject: [PATCH 6/7] Shell lineinfile macros and templates style fixes.
|
||||
|
||||
---
|
||||
shared/macros-ansible.jinja | 2 +-
|
||||
shared/macros-oval.jinja | 10 ++++++++--
|
||||
shared/templates/template_ANSIBLE_shell_lineinfile | 4 ++--
|
||||
3 files changed, 11 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 81e18e2d5c..f752e7a2be 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -25,7 +25,7 @@
|
||||
{{%- elif insert_before %}}
|
||||
insertbefore: '{{{ insert_before }}}'
|
||||
{{%- endif %}}
|
||||
- {{% else %}}
|
||||
+ {{%- else %}}
|
||||
state: '{{{ state }}}'
|
||||
{{%- endif %}}
|
||||
{{%- if validate %}}
|
||||
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
||||
index cfa9de9d2d..5f391efdcb 100644
|
||||
--- a/shared/macros-oval.jinja
|
||||
+++ b/shared/macros-oval.jinja
|
||||
@@ -13,13 +13,16 @@
|
||||
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
||||
- separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
|
||||
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||
- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
|
||||
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
|
||||
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
||||
- section (String): If set, the parameter will be checked only within the given section defined by [section].
|
||||
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
|
||||
#}}
|
||||
{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
|
||||
+{{%- if application == '' -%}}
|
||||
+ {{%- set application = "The respective application or service" -%}}
|
||||
+{{%- endif -%}}
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
<metadata>
|
||||
@@ -248,6 +251,9 @@
|
||||
- path (String): Path to the file.
|
||||
- parameter (String): The shell variable name.
|
||||
- value (String): The variable value WITHOUT QUOTES.
|
||||
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
|
||||
+ - no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes.
|
||||
+ If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check.
|
||||
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
- missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
|
||||
@@ -342,7 +348,7 @@
|
||||
- parameter (String): The parameter to be checked in the configuration file.
|
||||
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
||||
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||
- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
|
||||
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
|
||||
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
||||
#}}
|
||||
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
|
||||
index 7d0a3ebcbd..3e6c5619ea 100644
|
||||
--- a/shared/templates/template_ANSIBLE_shell_lineinfile
|
||||
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
|
||||
@@ -3,7 +3,7 @@
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
-{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
|
||||
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'" -%}}
|
||||
{{%- if NO_QUOTES -%}}
|
||||
{{% set msg = "Setting unquoted " ~ msg %}}
|
||||
{{%- else -%}}
|
||||
@@ -15,7 +15,7 @@
|
||||
path=PATH,
|
||||
parameter=PARAMETER,
|
||||
value=VALUE,
|
||||
- no_quotes=NO_QUOTES
|
||||
+ no_quotes=NO_QUOTES
|
||||
)
|
||||
}}}
|
||||
|
||||
|
||||
From a7779d2fae1086838daa1ded483decd499e8749f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Tue, 21 Jan 2020 16:43:23 +0100
|
||||
Subject: [PATCH 7/7] Add a shell_lineinfile template exemplary rule.
|
||||
|
||||
---
|
||||
.../ssh_server/sshd_use_strong_rng/rule.yml | 47 +++++++++++++++++++
|
||||
.../tests/bad_config.fail.sh | 3 ++
|
||||
.../tests/good_config.pass.sh | 3 ++
|
||||
.../tests/no_config.fail.sh | 3 ++
|
||||
.../sshd_use_strong_rng/tests/quoted.fail.sh | 3 ++
|
||||
rhel8/profiles/ospp.profile | 1 +
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
7 files changed, 60 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..4bfb72702b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
||||
@@ -0,0 +1,47 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+# TODO: The plan is not to need this for RHEL>=8.4
|
||||
+# TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'SSH server uses strong entropy to seed'
|
||||
+
|
||||
+description: |-
|
||||
+ To set up SSH server to use entropy from a high-quality source, edit the <tt>/etc/sysconfig/sshd</tt> file.
|
||||
+ The <tt>SSH_USE_STRONG_RNG</tt> configuration value determines how many bytes of entropy to use, so
|
||||
+ make sure that the file contains line
|
||||
+ <pre>SSH_USE_STRONG_RNG=32</pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default.
|
||||
+ Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors
|
||||
+ in encryption algorithms, and high-quality entropy elliminates the possibility that the output of
|
||||
+ the random number generator used by SSH would be known to potential attackers.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: 82462-3
|
||||
+
|
||||
+references:
|
||||
+ ospp: FIA_AFL.1
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine whether the SSH service is configured to use strong entropy seed,
|
||||
+ run <pre>$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd</pre>
|
||||
+ If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,
|
||||
+ then the option is set correctly.
|
||||
+
|
||||
+ocil_clause: |-
|
||||
+ The SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd
|
||||
+
|
||||
+warnings:
|
||||
+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available."
|
||||
+
|
||||
+template:
|
||||
+ name: shell_lineinfile
|
||||
+ vars:
|
||||
+ path: '/etc/sysconfig/sshd'
|
||||
+ parameter: 'SSH_USE_STRONG_RNG'
|
||||
+ value: '32'
|
||||
+ no_quotes: 'true'
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..f4f8c22f64
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+# platform = multi_platform_rhel
|
||||
+
|
||||
+echo 'SSH_USE_STRONG_RNG=1' > /etc/sysconfig/sshd
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000000..70f53ac22b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+# platform = multi_platform_rhel
|
||||
+
|
||||
+echo 'SSH_USE_STRONG_RNG=32' > /etc/sysconfig/sshd
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..1e5f0b2998
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+# platform = multi_platform_rhel
|
||||
+
|
||||
+rm -f /etc/sysconfig/sshd
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000000..a10d24a73b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+# platform = multi_platform_rhel
|
||||
+
|
||||
+echo 'SSH_USE_STRONG_RNG="32"' > /etc/sysconfig/sshd
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index f97527a914..63aea526b7 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -58,6 +58,7 @@ selections:
|
||||
- sshd_set_keepalive
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_rekey_limit
|
||||
+ - sshd_use_strong_rng
|
||||
|
||||
# Time Server
|
||||
- chronyd_client_only
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index b665fa1cea..1ff291c7df 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -1,4 +1,3 @@
|
||||
-CCE-82462-3
|
||||
CCE-82463-1
|
||||
CCE-82464-9
|
||||
CCE-82465-6
|
22
SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch
Normal file
22
SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch
Normal file
@ -0,0 +1,22 @@
|
||||
From fc99f5b30e1f6e98eac2382949418532fe0a2230 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 3 Feb 2020 10:55:42 +0100
|
||||
Subject: [PATCH] Update ISACA COBIT URI.
|
||||
|
||||
---
|
||||
shared/transforms/shared_constants.xslt | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/transforms/shared_constants.xslt b/shared/transforms/shared_constants.xslt
|
||||
index e88922d965..0aed1f6337 100644
|
||||
--- a/shared/transforms/shared_constants.xslt
|
||||
+++ b/shared/transforms/shared_constants.xslt
|
||||
@@ -28,7 +28,7 @@
|
||||
<xsl:variable name="nistcsfuri">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</xsl:variable>
|
||||
<xsl:variable name="isa-62443-2013uri">https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785</xsl:variable>
|
||||
<xsl:variable name="isa-62443-2009uri">https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731</xsl:variable>
|
||||
-<xsl:variable name="cobit5uri">http://www.isaca.org/COBIT/Pages/default.aspx</xsl:variable>
|
||||
+<xsl:variable name="cobit5uri">https://www.isaca.org/resources/cobit</xsl:variable>
|
||||
<xsl:variable name="cis-cscuri">https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf</xsl:variable>
|
||||
<xsl:variable name="osppuri">https://www.niap-ccevs.org/Profile/PP.cfm</xsl:variable>
|
||||
<xsl:variable name="pcidssuri">https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf</xsl:variable>
|
@ -0,0 +1,124 @@
|
||||
From 95ae3d5ca08f511ef40503f758dfb02feca29252 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 21 Jan 2020 13:42:35 +0100
|
||||
Subject: [PATCH 1/2] Update configure_crypto_policy test scenarios
|
||||
|
||||
Update test scenarios for OSPP profile, it selects 'FIPS:OSPP' crypto policy,
|
||||
not 'FIPS'.
|
||||
---
|
||||
.../tests/dropin_file_and_symlink_exist.fail.sh | 4 ++--
|
||||
.../tests/file_exists_but_no_file_in_local_d.fail.sh | 2 +-
|
||||
.../configure_crypto_policy/tests/missing_nss_config.fail.sh | 2 +-
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
|
||||
index 693cdb03a9..2de1cf4a3b 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
|
||||
@@ -1,11 +1,11 @@
|
||||
#!/bin/bash
|
||||
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
|
||||
# using example of opensshserver
|
||||
DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
|
||||
|
||||
-update-crypto-policies --set FIPS
|
||||
+update-crypto-policies --set "FIPS:OSPP"
|
||||
|
||||
echo "" > "$DROPIN_FILE"
|
||||
echo "CRYPTO_POLICY=" >> "$DROPIN_FILE"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
|
||||
index 5935a38eac..428b76879a 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
|
||||
@@ -5,7 +5,7 @@
|
||||
#using example of openssh server
|
||||
CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
|
||||
|
||||
-update-crypto-policies --set "FIPS"
|
||||
+update-crypto-policies --set "FIPS:OSPP"
|
||||
|
||||
rm -f /etc/crypto-policies/local.d/opensshserver-*.config
|
||||
rm -f "$CRYPTO_POLICY_FILE"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
|
||||
index b165006a8d..97bc4b499c 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
|
||||
@@ -2,6 +2,6 @@
|
||||
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
|
||||
-update-crypto-policies --set "FIPS"
|
||||
+update-crypto-policies --set "FIPS:OSPP"
|
||||
|
||||
rm -f "/etc/crypto-policies/back-ends/nss.config"
|
||||
|
||||
From dbbd7ecc294ba86544fb96d5a1b06feba9458a28 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 21 Jan 2020 14:07:50 +0100
|
||||
Subject: [PATCH 2/2] Remove configure_crypto_policy test scenarios
|
||||
|
||||
---
|
||||
.../tests/dropin_file_and_symlink_exist.fail.sh | 11 -----------
|
||||
.../file_exists_but_no_file_in_local_d.fail.sh | 13 -------------
|
||||
.../tests/override_policy.pass.sh | 11 -----------
|
||||
3 files changed, 35 deletions(-)
|
||||
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
|
||||
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
|
||||
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
|
||||
deleted file mode 100644
|
||||
index 2de1cf4a3b..0000000000
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,11 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
-
|
||||
-# using example of opensshserver
|
||||
-DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
|
||||
-
|
||||
-update-crypto-policies --set "FIPS:OSPP"
|
||||
-
|
||||
-echo "" > "$DROPIN_FILE"
|
||||
-echo "CRYPTO_POLICY=" >> "$DROPIN_FILE"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
|
||||
deleted file mode 100644
|
||||
index 428b76879a..0000000000
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,13 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
-
|
||||
-#using example of openssh server
|
||||
-CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
|
||||
-
|
||||
-update-crypto-policies --set "FIPS:OSPP"
|
||||
-
|
||||
-rm -f /etc/crypto-policies/local.d/opensshserver-*.config
|
||||
-rm -f "$CRYPTO_POLICY_FILE"
|
||||
-
|
||||
-echo "pretend that we overide the crrypto policy but no related file is in /etc/crypto-policies/local.d, smart, right?" > "$CRYPTO_POLICY_FILE"
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
|
||||
deleted file mode 100644
|
||||
index ce37abd7ff..0000000000
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
|
||||
+++ /dev/null
|
||||
@@ -1,11 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||||
-# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||||
-
|
||||
-#using openssh server as example
|
||||
-CRYPTO_POLICY_OVERRIDE_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
|
||||
-
|
||||
-echo "" > "$CRYPTO_POLICY_OVERRIDE_FILE"
|
||||
-echo "CRYPTO_POLICY=" >> "$CRYPTO_POLICY_OVERRIDE_FILE"
|
||||
-
|
||||
-update-crypto-policies --set FIPS:OSPP
|
@ -0,0 +1,273 @@
|
||||
From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 10 Feb 2020 16:16:17 +0100
|
||||
Subject: [PATCH 1/4] create new rules, add missing reference to older rule
|
||||
|
||||
---
|
||||
.../rule.yml | 26 +++++++++++++++
|
||||
.../package_openssh-server_installed/rule.yml | 1 +
|
||||
.../rule.yml | 32 +++++++++++++++++++
|
||||
.../rule.yml | 29 +++++++++++++++++
|
||||
5 files changed, 88 insertions(+), 3 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||||
create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..9b3c55f23b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||||
@@ -0,0 +1,26 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Install OpenSSH client software'
|
||||
+
|
||||
+description: |-
|
||||
+ {{{ describe_package_install(package="openssh-clients") }}}
|
||||
+
|
||||
+rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: 82722-0
|
||||
+
|
||||
+references:
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ ospp: FIA_UAU.5,FTP_ITC_EXT.1
|
||||
+
|
||||
+{{{ complete_ocil_entry_package(package='openssh-clients') }}}
|
||||
+
|
||||
+template:
|
||||
+ name: package_installed
|
||||
+ vars:
|
||||
+ pkgname: openssh-clients
|
||||
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||||
index c18e604a5c..ba013ec509 100644
|
||||
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
||||
@@ -28,6 +28,7 @@ references:
|
||||
cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06
|
||||
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
||||
cis-csc: 13,14
|
||||
+ ospp: FIA_UAU.5,FTP_ITC_EXT.1
|
||||
|
||||
ocil_clause: 'the package is not installed'
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..6025f0cd33
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
@@ -0,0 +1,32 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Install policycoreutils-python-utils package'
|
||||
+
|
||||
+description: |-
|
||||
+ {{{ describe_package_install(package="policycoreutils-python-utils") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
|
||||
+ with enhanced security functionality designed to add mandatory access controls to Linux.
|
||||
+ The Security-enhanced Linux kernel contains new architectural components originally
|
||||
+ developed to improve security of the Flask operating system. These architectural components
|
||||
+ provide general support for the enforcement of many kinds of mandatory access control
|
||||
+ policies, including those based on the concepts of Type Enforcement, Role-based Access
|
||||
+ Control, and Multi-level Security.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: 82724-6
|
||||
+
|
||||
+references:
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+
|
||||
+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}}
|
||||
+
|
||||
+template:
|
||||
+ name: package_installed
|
||||
+ vars:
|
||||
+ pkgname: policycoreutils-python-utils
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000000..c418518e7a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||||
@@ -0,0 +1,29 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Install crypto-policies package'
|
||||
+
|
||||
+description: |-
|
||||
+ {{{ describe_package_install(package="crypto-policies") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>crypto-policies</tt> package provides configuration and tools to
|
||||
+ apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
|
||||
+
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: 82723-8
|
||||
+
|
||||
+references:
|
||||
+ ospp: FCS_COP*
|
||||
+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
+
|
||||
+{{{ complete_ocil_entry_package(package='crypto-policies') }}}
|
||||
+
|
||||
+template:
|
||||
+ name: package_installed
|
||||
+ vars:
|
||||
+ pkgname: crypto-policies
|
||||
From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 10 Feb 2020 16:18:03 +0100
|
||||
Subject: [PATCH 2/4] modify ospp profile
|
||||
|
||||
---
|
||||
rhel8/profiles/ospp.profile | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
||||
index 4d5a9edd8e..c672066050 100644
|
||||
--- a/rhel8/profiles/ospp.profile
|
||||
+++ b/rhel8/profiles/ospp.profile
|
||||
@@ -169,17 +169,17 @@ selections:
|
||||
- package_dnf-plugin-subscription-manager_installed
|
||||
- package_firewalld_installed
|
||||
- package_iptables_installed
|
||||
- - package_libcap-ng-utils_installed
|
||||
- package_openscap-scanner_installed
|
||||
- package_policycoreutils_installed
|
||||
- package_rng-tools_installed
|
||||
- package_sudo_installed
|
||||
- package_usbguard_installed
|
||||
- - package_audispd-plugins_installed
|
||||
- package_scap-security-guide_installed
|
||||
- package_audit_installed
|
||||
- - package_gnutls-utils_installed
|
||||
- - package_nss-tools_installed
|
||||
+ - package_crypto-policies_installed
|
||||
+ - package_openssh-server_installed
|
||||
+ - package_openssh-clients_installed
|
||||
+ - package_policycoreutils-python-utils_installed
|
||||
|
||||
### Remove Prohibited Packages
|
||||
- package_sendmail_removed
|
||||
@@ -316,7 +316,7 @@ selections:
|
||||
## Configure the System to Offload Audit Records to a Log
|
||||
## Server
|
||||
## AU-4(1) / FAU_GEN.1.1.c
|
||||
- - auditd_audispd_syslog_plugin_activated
|
||||
+ # temporarily dropped
|
||||
|
||||
## Set Logon Warning Banner
|
||||
## AC-8(a) / FMT_MOF_EXT.1
|
||||
|
||||
From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 10 Feb 2020 16:18:52 +0100
|
||||
Subject: [PATCH 3/4] add rules to rhel8 stig profile
|
||||
|
||||
---
|
||||
rhel8/profiles/stig.profile | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
||||
index 821cc26914..7eb1869a3c 100644
|
||||
--- a/rhel8/profiles/stig.profile
|
||||
+++ b/rhel8/profiles/stig.profile
|
||||
@@ -33,6 +33,9 @@ selections:
|
||||
- encrypt_partitions
|
||||
- sysctl_net_ipv4_tcp_syncookies
|
||||
- clean_components_post_updating
|
||||
+ - package_audispd-plugins_installed
|
||||
+ - package_libcap-ng-utils_installed
|
||||
+ - auditd_audispd_syslog_plugin_activated
|
||||
|
||||
# Configure TLS for remote logging
|
||||
- package_rsyslog_installed
|
||||
|
||||
From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 10 Feb 2020 17:42:43 +0100
|
||||
Subject: [PATCH 4/4] rephrase some rationales, fix SFR
|
||||
|
||||
---
|
||||
.../ssh/package_openssh-clients_installed/rule.yml | 4 +++-
|
||||
.../rule.yml | 9 ++-------
|
||||
.../crypto/package_crypto-policies_installed/rule.yml | 8 ++++----
|
||||
3 files changed, 9 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||||
index 9b3c55f23b..f5b29d32e8 100644
|
||||
--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
||||
@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software'
|
||||
description: |-
|
||||
{{{ describe_package_install(package="openssh-clients") }}}
|
||||
|
||||
-rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
|
||||
+rationale: |-
|
||||
+ This package includes utilities to make encrypted connections and transfer
|
||||
+ files securely to SSH servers.
|
||||
|
||||
severity: medium
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
index 6025f0cd33..7ae7461077 100644
|
||||
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
@@ -8,13 +8,8 @@ description: |-
|
||||
{{{ describe_package_install(package="policycoreutils-python-utils") }}}
|
||||
|
||||
rationale: |-
|
||||
- Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
|
||||
- with enhanced security functionality designed to add mandatory access controls to Linux.
|
||||
- The Security-enhanced Linux kernel contains new architectural components originally
|
||||
- developed to improve security of the Flask operating system. These architectural components
|
||||
- provide general support for the enforcement of many kinds of mandatory access control
|
||||
- policies, including those based on the concepts of Type Enforcement, Role-based Access
|
||||
- Control, and Multi-level Security.
|
||||
+ This package is required to operate and manage an SELinux environment and its policies.
|
||||
+ It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.
|
||||
|
||||
severity: medium
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||||
index c418518e7a..bb07f9d617 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
||||
@@ -8,9 +8,9 @@ description: |-
|
||||
{{{ describe_package_install(package="crypto-policies") }}}
|
||||
|
||||
rationale: |-
|
||||
- The <tt>crypto-policies</tt> package provides configuration and tools to
|
||||
- apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
|
||||
-
|
||||
+ Centralized cryptographic policies simplify applying secure ciphers across an operating system and
|
||||
+ the applications that run on that operating system. Use of weak or untested encryption algorithms
|
||||
+ undermines the purposes of utilizing encryption to protect data.
|
||||
|
||||
severity: medium
|
||||
|
||||
@@ -18,7 +18,7 @@ identifiers:
|
||||
cce@rhel8: 82723-8
|
||||
|
||||
references:
|
||||
- ospp: FCS_COP*
|
||||
+ ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4)
|
||||
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
|
||||
{{{ complete_ocil_entry_package(package='crypto-policies') }}}
|
@ -1,13 +1,30 @@
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.46
|
||||
Release: 1%{?dist}
|
||||
Version: 0.1.48
|
||||
Release: 7%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
Group: Applications/System
|
||||
License: BSD
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
Patch1: scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch
|
||||
Patch2: scap-security-guide-0.1.49-max-path-len-skip-logs.patch
|
||||
Patch3: scap-security-guide-0.1.49-drop-rsyslog-rules.patch
|
||||
Patch4: scap-security-guide-0.1.49-update-cobit-uri.patch
|
||||
Patch5: scap-security-guide-0.1.49-ssh-use-strong-rng.patch
|
||||
Patch6: scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch
|
||||
Patch7: scap-security-guide-0.1.49-add-stig-kickstart.patch
|
||||
Patch8: scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
|
||||
Patch9: scap-security-guide-0.1.49-add-few-srg-mappings.patch
|
||||
# Patch10 was generated from squashed commit to prevent 'cannot find file to patch' situations
|
||||
# from https://github.com/ComplianceAsCode/content/pull/5110
|
||||
# HEAD 210ee56aab3f831c96810ca42189642274bd735f
|
||||
Patch10: scap-security-guide-0.1.49-split-audit-rules.patch
|
||||
Patch11: scap-security-guide-0.1.49-fix-remaining-srgs.patch
|
||||
# Patch 12 and 13 had changes to file cce-redhat-avail.txt stripped out, to ease application of patch
|
||||
Patch12: scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch
|
||||
Patch13: scap-security-guide-0.1.49-add-cce-openssh-server.patch
|
||||
BuildArch: noarch
|
||||
|
||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||
@ -42,6 +59,19 @@ present in %{name} package.
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
mkdir build
|
||||
|
||||
%build
|
||||
@ -76,6 +106,45 @@ cd build
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%changelog
|
||||
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
|
||||
- Update baseline package list of OSPP profile
|
||||
|
||||
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
|
||||
- Rebuilt with correct spec file
|
||||
|
||||
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
|
||||
- Add SRG references to STIG rules (RHBZ#1755447)
|
||||
|
||||
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
|
||||
- Drop rsyslog rules from OSPP profile
|
||||
- Update COBIT URI
|
||||
- Add rules for strong source of RNG entropy
|
||||
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
|
||||
- STIG profile: added rsyslog rules and updated SRG mappings
|
||||
- Split audit rules according to audit component (RHBZ#1791312)
|
||||
|
||||
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
|
||||
- Update crypto-policy test scenarios
|
||||
- Update max-path-len test to skip tests/logs directory
|
||||
|
||||
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
|
||||
- Fix list of tables that are generated for RHEL8
|
||||
|
||||
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
|
||||
|
||||
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
|
||||
- Improved the e8 profile (RHBZ#1755194)
|
||||
|
||||
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
|
||||
|
||||
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
|
||||
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
|
||||
|
||||
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
|
||||
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
|
||||
|
||||
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
|
||||
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
|
||||
|
Loading…
Reference in New Issue
Block a user