import scap-security-guide-0.1.48-7.el8

This commit is contained in:
CentOS Sources 2020-04-28 05:32:22 -04:00 committed by Andrew Lukoshko
parent 0ac390339a
commit 41c5266b38
17 changed files with 4447 additions and 25 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/scap-security-guide-0.1.46.tar.bz2
SOURCES/scap-security-guide-0.1.48.tar.bz2

View File

@ -1 +1 @@
05a9c42472d6918e10d25df002ab6b3c3d379016 SOURCES/scap-security-guide-0.1.46.tar.bz2
a8f9874a8f1df4c66e45daa6fa6c41d1ac8df934 SOURCES/scap-security-guide-0.1.48.tar.bz2

View File

@ -1,34 +1,37 @@
From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 17 Dec 2018 13:30:06 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8.
From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 17 Jan 2020 19:01:22 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
They raise too many errors and fails.
Also disable tables for profiles that are not built.
---
rhel8/CMakeLists.txt | 3 ++-
rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/cui.profile | 2 +-
rhel8/profiles/hipaa.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
rhel8/profiles/standard.profile | 2 +-
6 files changed, 7 insertions(+), 6 deletions(-)
rhel8/CMakeLists.txt | 2 --
rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/cui.profile | 2 +-
rhel8/profiles/hipaa.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
rhel8/profiles/standard.profile | 2 +-
9 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index 99bccbed7..77f8ccaec 100644
index 40f2b2b0f..492a8dae1 100644
--- a/rhel8/CMakeLists.txt
+++ b/rhel8/CMakeLists.txt
@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
+# Standard profile is disabled for RHEL8 as it is not in good shape
+#ssg_build_html_nistrefs_table(${PRODUCT} "standard")
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
# Uncomment when anssi profiles are marked documentation_complete: true
#ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal")
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index a7f8c0b16..c460793be 100644
index 05ea9cdd6..9c55ac5b1 100644
--- a/rhel8/profiles/cjis.profile
+++ b/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -48,7 +51,7 @@ index eb62252a4..e8f369708 100644
title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
index feb98007c..0667f65ed 100644
index 8d20f9019..d641b56fe 100644
--- a/rhel8/profiles/hipaa.profile
+++ b/rhel8/profiles/hipaa.profile
@@ -1,4 +1,4 @@
@ -57,8 +60,28 @@ index feb98007c..0667f65ed 100644
title: 'Health Insurance Portability and Accountability Act (HIPAA)'
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile
+++ b/rhel8/profiles/rhelh-stig.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
index 2baee6d66..8592d7aaf 100644
--- a/rhel8/profiles/rhelh-vpp.profile
+++ b/rhel8/profiles/rhelh-vpp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
index 023663b21..8b22bc711 100644
index c84579592..164ec98c4 100644
--- a/rhel8/profiles/rht-ccp.profile
+++ b/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -78,5 +101,5 @@ index a63ae2cf3..da669bb84 100644
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
2.19.2
2.21.1

View File

@ -0,0 +1,21 @@
From 3c7332c8245fe3f356557619f59a9218a50e7dfa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 Feb 2020 13:53:46 +0100
Subject: [PATCH] Add CCE identifier for openssh-server installed
---
.../guide/services/ssh/package_openssh-server_installed/rule.yml | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index ba013ec509..cecd6514fb 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel7: 80215-7
+ cce@rhel8: 83303-8
references:
disa: 2418,2420,2421,2422

View File

@ -0,0 +1,150 @@
From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 5 Feb 2020 10:23:44 +0100
Subject: [PATCH 1/4] Add and fix few entries of SRG mapping.
---
.../network-uncommon/kernel_module_dccp_disabled/rule.yml | 1 +
.../permissions/partitions/mount_option_var_log_nodev/rule.yml | 1 +
.../dconf_gnome_screensaver_lock_delay/rule.yml | 2 +-
.../dconf_gnome_screensaver_lock_enabled/rule.yml | 2 +-
4 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
index 1b42b7233b..4dcbc458d1 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
@@ -37,6 +37,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
+ srg: SRG-OS-000096-GPOS-00050
{{{ complete_ocil_entry_module_disable(module="dccp") }}}
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
index 298f17d2d8..d1ec9f644e 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
@@ -28,6 +28,7 @@ identifiers:
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
+ srg: SRG-OS-000368-GPOS-00154
platform: machine
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
index b20323c1af..39aa044941 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
@@ -34,7 +34,7 @@ references:
nist-csf: PR.AC-7
ospp: FMT_MOF_EXT.1
pcidss: Req-8.1.8
- srg: OS-SRG-000029-GPOS-00010
+ srg: SRG-OS-000029-GPOS-00010
stigid@rhel7: "010110"
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
index 0380f0149f..7742b8d862 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
@@ -35,7 +35,7 @@ references:
nist-csf: PR.AC-7
ospp: FMT_MOF_EXT.1
pcidss: Req-8.1.8
- srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011
+ srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
stigid@rhel7: "010060"
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 10:33:54 +0100
Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227
The SRG is about configuring the system in accordance with security
baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs.
---
.../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 +
.../integrity/crypto/openssl_use_strong_entropy/rule.yml | 1 +
2 files changed, 2 insertions(+)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
index 4bfb72702b..62b2d01924 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
ospp: FIA_AFL.1
+ srg: SRG-OS-000480-GPOS-00227
ocil: |-
To determine whether the SSH service is configured to use strong entropy seed,
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index 8a958e93b0..47dc8953e4 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
ospp: FIA_AFL.1
+ srg: SRG-OS-000480-GPOS-00227
ocil: |-
To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 11:12:02 +0100
Subject: [PATCH 3/4] Same SRG mapping as
package_subscription-manager_installed
The package provides an interface for automation of package updates
---
.../package_dnf-plugin-subscription-manager_installed/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 6b0144fd54..8f081d9a3c 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -20,6 +20,7 @@ identifiers:
references:
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+ srg: SRG-OS-000366-GPOS-00153
ocil_clause: 'the package is not installed'
From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 11:14:35 +0100
Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item
From rule's rationale:
Binaries in pigz package are compiled without sufficient stack
protection and its ADSLR is weak.
---
.../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
index 595b78e768..bb724d916d 100644
--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
@@ -18,6 +18,9 @@ severity: low
identifiers:
cce@rhel8: 82397-1
+references:
+ srg: SRG-OS-000433-GPOS-00192
+
{{{ complete_ocil_entry_package(package="pigz") }}}
template:

View File

@ -0,0 +1,23 @@
From 716cccfe5a253be61e2b2f46b972ae2153a09ad2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 4 Feb 2020 17:38:45 +0100
Subject: [PATCH] Add rules to configure rsyslog TLS
---
rhel8/profiles/stig.profile | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index d85e18e9d0..821cc26914 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -33,3 +33,9 @@ selections:
- encrypt_partitions
- sysctl_net_ipv4_tcp_syncookies
- clean_components_post_updating
+
+ # Configure TLS for remote logging
+ - package_rsyslog_installed
+ - package_rsyslog-gnutls_installed
+ - rsyslog_remote_tls
+ - rsyslog_remote_tls_cacert

View File

@ -0,0 +1,184 @@
From 3d061cb6cb61ef8dc7bccc873bf338041687842e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 3 Feb 2020 21:23:59 +0100
Subject: [PATCH] Add Kickstart file for STIG profile
Based on OSPP KS
---
rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 167 ++++++++++++++++++++++++++
1 file changed, 167 insertions(+)
create mode 100644 rhel8/kickstart/ssg-rhel8-stig-ks.cfg
diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
new file mode 100644
index 0000000000..8c970dd6ff
--- /dev/null
+++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
@@ -0,0 +1,167 @@
+# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+
+# Install a fresh new system (optional)
+install
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+# "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --bootproto dhcp
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g.
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow enable shadowed passwords by default
+# --passalgo hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Refer to e.g.
+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+# to see how to create encrypted password form for different plaintext password
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol swap --name=swap --vgname=VolGroup --size=2016
+
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+# content - security policies - on the installed system.This add-on has been enabled by default
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
+# functionality will automatically be installed. However, by default, no policies are enforced,
+# meaning that no checks are performed during or after installation unless specifically configured.
+#
+# Important
+# Applying a security policy is not necessary on all systems. This screen should only be used
+# when a specific policy is mandated by your organization rules or government regulations.
+# Unlike most other commands, this add-on does not accept regular options, but uses key-value
+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+# Values can be optionally enclosed in single quotes (') or double quotes (").
+#
+# The following keys are recognized by the add-on:
+# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+# - If the content-type is scap-security-guide, the add-on will use content provided by the
+# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+# xccdf-id - ID of the benchmark you want to use.
+# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+# profile - ID of the profile to be applied. Use default to apply the default profile.
+# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+#
+# The following is an example %addon org_fedora_oscap section which uses content from the
+# scap-security-guide on the installation media:
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_stig
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

View File

@ -0,0 +1,36 @@
From 3d8e47f0bd6fc1ddf8f33b788f52a23f348f24b7 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek
<vpolasek@redhat.com>
Date: Mon, 3 Feb 2020 11:37:50 +0100
Subject: remove rsyslog rules from ospp
---
rhel8/profiles/ospp.profile | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index ef3ced501..fb653de9d 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -178,8 +178,6 @@ selections:
- package_audispd-plugins_installed
- package_scap-security-guide_installed
- package_audit_installed
- - package_rsyslog_installed
- - package_rsyslog-gnutls_installed
- package_gnutls-utils_installed
- package_nss-tools_installed
@@ -391,8 +389,7 @@ selections:
- timer_dnf-automatic_enabled
# Configure TLS for remote logging
- - rsyslog_remote_tls
- - rsyslog_remote_tls_cacert
+ # temporarily dropped
# Prevent Kerberos use by system daemons
- kerberos_disable_no_keytab
--
2.25.0

View File

@ -0,0 +1,49 @@
From ccd6b36cbb7ad3046fa09bdbf3aab84b1212d213 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 6 Feb 2020 11:29:31 +0100
Subject: [PATCH] Map missing SRG rules
---
.../guide/system/software/gnome/dconf_db_up_to_date/rule.yml | 3 +++
.../system-tools/package_gnutls-utils_installed/rule.yml | 1 +
.../software/system-tools/package_nss-tools_installed/rule.yml | 1 +
3 files changed, 5 insertions(+)
diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
index 3017b789f8..3e0b4fa2d1 100644
--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
@@ -20,6 +20,9 @@ identifiers:
cce@rhel8: 81003-6
cce@rhel7: 81004-4
+references:
+ srg: SRG-OS-000480-GPOS-00227
+
ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles'
ocil: |-
diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
index ebb8ad95f0..1374900664 100644
--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
+ srg: SRG-OS-000480-GPOS-00227
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
index 32c9c32893..5d0d679a1a 100644
--- a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
+ srg: SRG-OS-000480-GPOS-00227
ocil_clause: 'the package is not installed'

View File

@ -0,0 +1,49 @@
From 840fb94f9b371f6555536de2c32953c967c1122a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 21 Jan 2020 14:17:00 +0100
Subject: [PATCH 1/2] Don't check for path len of logs directory
The logs are not part of the tarball, nor used to build the content.
---
tests/ensure_paths_are_short.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py
index 5d4e27cb91..18d4c662ff 100755
--- a/tests/ensure_paths_are_short.py
+++ b/tests/ensure_paths_are_short.py
@@ -13,6 +13,10 @@ def main():
ssg_root = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
max_path = ""
for dir_, _, files in os.walk(ssg_root):
+ # Don't check for path len of log files
+ # They are not shipped nor used during build
+ if "tests/logs/" in dir_:
+ continue
for file_ in files:
path = os.path.relpath(os.path.join(dir_, file_), ssg_root)
if len(path) > len(max_path):
From 8d29c78efc51cc2c2da0e436b3cd9a2edb5342bc Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 21 Jan 2020 15:05:17 +0100
Subject: [PATCH 2/2] Skip only only tests/logs/ from project root
---
tests/ensure_paths_are_short.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py
index 18d4c662ff..b9e985fea0 100755
--- a/tests/ensure_paths_are_short.py
+++ b/tests/ensure_paths_are_short.py
@@ -15,7 +15,8 @@ def main():
for dir_, _, files in os.walk(ssg_root):
# Don't check for path len of log files
# They are not shipped nor used during build
- if "tests/logs/" in dir_:
+ current_relative_path = os.path.relpath(dir_, ssg_root)
+ if current_relative_path.startswith("tests/logs/"):
continue
for file_ in files:
path = os.path.relpath(os.path.join(dir_, file_), ssg_root)

View File

@ -0,0 +1,593 @@
From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 27 Jan 2020 11:51:53 +0100
Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper.
---
.../openssl_use_strong_entropy/rule.yml | 65 +++++++++++++++++++
rhel8/profiles/ospp.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
3 files changed, 66 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
new file mode 100644
index 0000000000..e9ea8ed338
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -0,0 +1,65 @@
+documentation_complete: true
+
+# TODO: The plan is not to need this for RHEL>=8.4
+prodtype: rhel8
+
+title: 'OpenSSL uses strong entropy source'
+
+description: |-
+ To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
+ save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+ <pre>
+ # provide a default -rand /dev/random option to openssl commands that
+ # support it
+
+ # written inefficiently for maximum shell compatibility
+ openssl()
+ (
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+ )
+ </pre>
+
+rationale: |-
+ The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
+ The referenced script is sourced to every login shell, and it transparently adds an option
+ that enforces strong entropy to every <tt>openssl</tt> invocation,
+ which makes <tt>openssl</tt> more secure by default.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82721-2
+
+references:
+ ospp: FIA_AFL.1
+
+ocil: |-
+ To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
+ make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+ that are included in the rule's description.
+
+ocil_clause: |-
+ there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+
+warnings:
+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 63aea526b7..ef3ced5010 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -59,6 +59,7 @@ selections:
- sshd_enable_warning_banner
- sshd_rekey_limit
- sshd_use_strong_rng
+ - openssl_use_strong_entropy
# Time Server
- chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4cb08794f4..1733872dfa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -248,6 +248,5 @@
CCE-82719-6
CCE-82720-4
-CCE-82721-2
CCE-82722-0
CCE-82723-8
CCE-82724-6
From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 27 Jan 2020 19:35:06 +0100
Subject: [PATCH 2/6] create checks, remediations,
---
.../ansible/shared.yml | 12 +++++++
.../openssl_use_strong_entropy/bash/shared.sh | 5 +++
.../oval/shared.xml | 34 +++++++++++++++++++
.../openssl_use_strong_entropy/rule.yml | 29 +---------------
shared/macros.jinja | 34 ++++++++++++++++++-
5 files changed, 85 insertions(+), 29 deletions(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
new file mode 100644
index 0000000000..3ce26d6525
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "copy a file with shell snippet to configure openssl strong entropy"
+ copy:
+ dest: /etc/profile.d/cc-config.sh
+ content: |+
+ {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
new file mode 100644
index 0000000000..db5c331ce7
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 8
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+{{{ openssl_strong_entropy_config_file() }}}
+EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
new file mode 100644
index 0000000000..b441b7ae6e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
@@ -0,0 +1,34 @@
+<def-group>
+ <definition class="compliance" id="openssl_use_strong_entropy" version="1">
+ <metadata>
+ <title>Configure Openssl to use strong entropy</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 8</platform>
+ <platform>multi_platform_fedora</platform>
+ </affected>
+ <description>OpenSSL should be configured to generate random data with strong entropy.</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_openssl_strong_entropy"
+ comment="Check that the OpenSSL is configured to generate random data with strong entropy." />
+ </criteria>
+ </definition>
+
+ <ind:filehash58_test id="test_openssl_strong_entropy"
+ comment="Test if openssl is configured to generate random data with strong entropy" version="1"
+ check="all" check_existence="all_exist">
+ <ind:object object_ref="object_openssl_strong_entropy"/>
+ <ind:state state_ref="state_openssl_strong_entropy"/>
+ </ind:filehash58_test>
+
+ <ind:filehash58_object id="object_openssl_strong_entropy" version="1">
+ <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ </ind:filehash58_object>
+
+ <ind:filehash58_state id="state_openssl_strong_entropy" version="1">
+ <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+ </ind:filehash58_state>
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index e9ea8ed338..3b01da01af 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -9,34 +9,7 @@ description: |-
To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
<pre>
- # provide a default -rand /dev/random option to openssl commands that
- # support it
-
- # written inefficiently for maximum shell compatibility
- openssl()
- (
- openssl_bin=/usr/bin/openssl
-
- case "$*" in
- # if user specified -rand, honor it
- *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
- esac
-
- cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
- for i in `$openssl_bin list -commands`; do
- if $openssl_bin list -options "$i" | grep -q '^rand '; then
- cmds=" $i $cmds"
- fi
- done
-
- case "$cmds" in
- *\ "$1"\ *)
- cmd="$1"; shift
- exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
- esac
-
- exec $openssl_bin "$@"
- )
+ {{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
diff --git a/shared/macros.jinja b/shared/macros.jinja
index 77f8eb31c7..8a25acc937 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned"
{{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}}
- When selecting this rule in a profile,
+ When selecting this rule in a profile,
{{%- if why %}}
make sure that rule with ID <code>{{{ rule_id }}}</code> is selected as well: {{{ why }}}
{{%- else %}}
rule <code>{{{ rule_id }}}</code> has to be selected as well.
{{%- endif %}}
{{% endmacro %}}
+
+{{% macro openssl_strong_entropy_config_file() -%}}
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+)
+
+{{%- endmacro %}}
From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Jan 2020 13:42:40 +0100
Subject: [PATCH 3/6] add tests
---
.../tests/correct.pass.sh | 34 +++++++++++++++++++
.../tests/file_missing.fail.sh | 5 +++
.../tests/file_modified.fail.sh | 5 +++
3 files changed, 44 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
new file mode 100644
index 0000000000..0bffab3c81
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+)
+EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..c1d526902c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+rm -f /etc/profile.d/cc-config.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
new file mode 100644
index 0000000000..313d14a37f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo "wrong data" > /etc/profile.d/cc-config.sh
From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Jan 2020 11:12:46 +0100
Subject: [PATCH 4/6] remove blank=true from jinja macro as rhel6 and rhel7 do
not support it
---
.../crypto/openssl_use_strong_entropy/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index 3ce26d6525..bdc530f9f5 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -8,5 +8,5 @@
copy:
dest: /etc/profile.d/cc-config.sh
content: |+
- {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+ {{{ openssl_strong_entropy_config_file()|indent(8) }}}
From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 30 Jan 2020 14:25:31 +0100
Subject: [PATCH 5/6] reword rationale, change file name
from cc-config.sh to openssl-rand.sh
change title of oval
---
.../openssl_use_strong_entropy/ansible/shared.yml | 2 +-
.../openssl_use_strong_entropy/bash/shared.sh | 2 +-
.../openssl_use_strong_entropy/oval/shared.xml | 11 ++++-------
.../crypto/openssl_use_strong_entropy/rule.yml | 14 +++++---------
.../tests/correct.pass.sh | 2 +-
.../tests/file_missing.fail.sh | 2 +-
.../tests/file_modified.fail.sh | 2 +-
7 files changed, 14 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index bdc530f9f5..6ee232892d 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -6,7 +6,7 @@
- name: "copy a file with shell snippet to configure openssl strong entropy"
copy:
- dest: /etc/profile.d/cc-config.sh
+ dest: /etc/profile.d/openssl-rand.sh
content: |+
{{{ openssl_strong_entropy_config_file()|indent(8) }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
index db5c331ce7..d8c9935005 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
@@ -1,5 +1,5 @@
# platform = Red Hat Enterprise Linux 8
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
{{{ openssl_strong_entropy_config_file() }}}
EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
index b441b7ae6e..847754f36d 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
@@ -1,11 +1,8 @@
<def-group>
<definition class="compliance" id="openssl_use_strong_entropy" version="1">
<metadata>
- <title>Configure Openssl to use strong entropy</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 8</platform>
- <platform>multi_platform_fedora</platform>
- </affected>
+ <title>Configure OpenSSL to use strong entropy</title>
+ {{{- oval_affected(products) }}}
<description>OpenSSL should be configured to generate random data with strong entropy.</description>
</metadata>
<criteria>
@@ -22,12 +19,12 @@
</ind:filehash58_test>
<ind:filehash58_object id="object_openssl_strong_entropy" version="1">
- <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
<ind:hash_type>SHA-256</ind:hash_type>
</ind:filehash58_object>
<ind:filehash58_state id="state_openssl_strong_entropy" version="1">
- <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
<ind:hash_type>SHA-256</ind:hash_type>
<ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
</ind:filehash58_state>
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index 3b01da01af..dd82336532 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source'
description: |-
To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
- save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+ save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
<pre>
{{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
- The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
- The referenced script is sourced to every login shell, and it transparently adds an option
- that enforces strong entropy to every <tt>openssl</tt> invocation,
- which makes <tt>openssl</tt> more secure by default.
+ This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
severity: medium
-
identifiers:
cce@rhel8: 82721-2
@@ -27,12 +23,12 @@ references:
ospp: FIA_AFL.1
ocil: |-
- To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
- make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+ To determine whether the <tt>openssl</tt> wrapper is configured correctly,
+ make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
that are included in the rule's description.
ocil_clause: |-
- there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+ there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description
warnings:
- general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
index 0bffab3c81..d7f3ce8c87 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
@@ -2,7 +2,7 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
# provide a default -rand /dev/random option to openssl commands that
# support it
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
index c1d526902c..64a580da91 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
@@ -2,4 +2,4 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-rm -f /etc/profile.d/cc-config.sh
+rm -f /etc/profile.d/openssl-rand.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
index 313d14a37f..2c812e874b 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
@@ -2,4 +2,4 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-echo "wrong data" > /etc/profile.d/cc-config.sh
+echo "wrong data" > /etc/profile.d/openssl-rand.sh
From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 31 Jan 2020 16:34:48 +0100
Subject: [PATCH 6/6] Rule and remediation wording improvements.
---
.../openssl_use_strong_entropy/ansible/shared.yml | 3 +--
.../crypto/openssl_use_strong_entropy/rule.yml | 15 ++++++++++-----
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index 6ee232892d..25afb8e27f 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -4,9 +4,8 @@
# complexity = low
# disruption = low
-- name: "copy a file with shell snippet to configure openssl strong entropy"
+- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy"
copy:
dest: /etc/profile.d/openssl-rand.sh
content: |+
{{{ openssl_strong_entropy_config_file()|indent(8) }}}
-
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index dd82336532..8a958e93b0 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -6,14 +6,18 @@ prodtype: rhel8
title: 'OpenSSL uses strong entropy source'
description: |-
- To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
- save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
+ By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.
+ A way to configure OpenSSL to always use a strong source is to setup a wrapper that
+ defines a shell function that shadows the actual <tt>openssl</tt> binary,
+ and that ensures that the <tt>-rand /dev/random</tt> option is added to every <tt>openssl</tt> invocation.
+
+ To do so, place the following shell snippet exactly as-is to <tt>/etc/profile.d/openssl-rand.sh</tt>:
<pre>
{{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
- This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
+ This rule ensures that <tt>openssl</tt> invocations always uses SP800-90A compliant random number generator as a default behavior.
severity: medium
identifiers:
@@ -23,8 +27,9 @@ references:
ospp: FIA_AFL.1
ocil: |-
- To determine whether the <tt>openssl</tt> wrapper is configured correctly,
- make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
+ To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
+ uses a SP800-90A compliant entropy source,
+ make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contents exactly match those
that are included in the rule's description.
ocil_clause: |-

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,855 @@
From e826795667e319a336ccbfe0919c044766801cb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 17 Jan 2020 10:49:36 +0100
Subject: [PATCH 1/7] Added lineinfile shell assignment support to our macros.
---
shared/macros-ansible.jinja | 20 +++++++++++++++++++
shared/macros-bash.jinja | 26 +++++++++++++++++++++++++
shared/macros-oval.jinja | 39 ++++++++++++++++++++++++++++++++-----
3 files changed, 80 insertions(+), 5 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 3e4a441225..c42a5156ce 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -141,6 +141,26 @@
{{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="^[#\s]*Match") }}}
{{%- endmacro %}}
+{{#
+ High level macro to set a value in a shell-related file that contains var assignments. This
+ takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
+ in the configuration file, and the value to set it to. We specify a case
+ sensitive comparison in the prefix since this is used to deduplicate since
+ We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
+#}}
+{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
+{{% if no_quotes -%}}
+{{%- else -%}}
+{{%- set quotes = "\"'" -%}}
+ {{% if "$" in value %}}
+ {{% set value = '"%s"' % value %}}
+ {{% else %}}
+ {{% set value = "'%s'" % value %}}
+ {{% endif %}}
+{{%- endif -%}}
+{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
+{{%- endmacro %}}
+
{{#
High level macro to set a command in tmux configuration file /etc/tmux.conf.
Parameters:
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 43200bdd8a..6c0bb2facc 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -1,5 +1,31 @@
{{# ##### High level macros ##### #}}
+{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
+{{% if no_quotes -%}}
+ {{% if "$" in value %}}
+ {{% set value = '%s' % value.replace("$", "\\$") %}}
+ {{% endif %}}
+{{%- else -%}}
+ {{% if "$" in value %}}
+ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
+ {{% else %}}
+ {{% set value = "'%s'" % value %}}
+ {{% endif %}}
+{{%- endif -%}}
+{{{ set_config_file(
+ path=path,
+ parameter=parameter,
+ value=value,
+ create=true,
+ insert_after="",
+ insert_before="^Match",
+ insensitive=false,
+ separator="=",
+ separator_regex="=",
+ prefix_regex="^\s*")
+ }}}
+{{%- endmacro -%}}
+
{{%- macro bash_sshd_config_set(parameter, value) -%}}
{{{ set_config_file(
path="/etc/ssh/sshd_config",
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 2049a24d6e..696cf36db0 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -17,8 +17,9 @@
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
- section (String): If set, the parameter will be checked only within the given section defined by [section].
+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
#}}
-{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='') -%}}
+{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
<metadata>
@@ -60,7 +61,7 @@
</definition>
{{{ oval_line_in_file_test(path, parameter) }}}
{{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}}
- {{{ oval_line_in_file_state(value, multi_value) }}}
+ {{{ oval_line_in_file_state(value, multi_value, quotes) }}}
{{%- if missing_parameter_pass %}}
{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}}
{{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}}
@@ -173,12 +174,21 @@
This macro can take two parameters:
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
+ For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
#}}
-{{%- macro oval_line_in_file_state(value='', multi_value='') -%}}
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
+{{%- set regex = value -%}}
+{{%- if quotes != "" %}}
+{{%- if "\\1" in value > 0 %}}
+{{{ raise("The regex for matching '%s' already references capturing groups, which doesn't go well with quoting that adds a capturing group to the beginning." % value) }}}
+{{%- endif %}}
+{{%- set regex = "((?:%s)?)%s\\1" % ("|".join(quotes), regex) -%}}
+{{%- endif %}}
{{%- if multi_value %}}
-{{%- set regex = "^.*\\b"+value+"\\b.*$" -%}}
+{{%- set regex = "^.*\\b"+regex+"\\b.*$" -%}}
{{%- else %}}
-{{%- set regex = "^"+value+"$" -%}}
+{{%- set regex = "^"+regex+"$" -%}}
{{%- endif %}}
<ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
<ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
@@ -232,6 +242,25 @@
{{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
{{%- endmacro %}}
+{{#
+ High level macro to check if a particular shell variable is set.
+ This macro can take five parameters:
+ - path (String): Path to the file.
+ - parameter (String): The shell variable name.
+ - value (String): The variable value WITHOUT QUOTES.
+ - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+ - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+#}}
+{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+{{% if no_quotes -%}}
+{{%- set quotes = "" -%}}
+{{%- else -%}}
+{{%- set quotes = "\"'" -%}}
+{{%- endif -%}}
+{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}}
+{{%- endmacro %}}
+
{{#
High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
This function can take five parameters:
From a7281779e424a0b481e1b08ca01d2ebd1af2e834 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 17 Jan 2020 10:50:16 +0100
Subject: [PATCH 2/7] Added tests for shell lineinfile.
---
tests/test_macros_oval.py | 142 ++++++++++++++++++
.../unit/bash/test_set_config_file.bats.jinja | 56 +++++++
2 files changed, 198 insertions(+)
diff --git a/tests/test_macros_oval.py b/tests/test_macros_oval.py
index 65a88ba7b4..8acae8548b 100755
--- a/tests/test_macros_oval.py
+++ b/tests/test_macros_oval.py
@@ -896,6 +896,148 @@ def main():
"[vehicle]\nspeed =\n100",
"false"
)
+ tester.test(
+ "SHELL commented out",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ "# SHELL=/bin/bash\n",
+ "false"
+ )
+ tester.test(
+ "SHELL correct",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ " SHELL=/bin/bash\n",
+ "true"
+ )
+ tester.test(
+ "SHELL single-quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin"/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ " SHELL='/bin\"/bash'\n",
+ "true"
+ )
+ tester.test(
+ "SHELL double-quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value=' /bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL=" /bin/bash"\n""",
+ "true"
+ )
+ tester.test(
+ "SHELL unwanted double-quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value=' /bin/bash',
+ no_quotes=true,
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL=" /bin/bash"\n""",
+ "false"
+ )
+ tester.test(
+ "SHELL unwanted single-quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin"/bash',
+ no_quotes=true,
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ " SHELL='/bin\"/bash'\n",
+ "false"
+ )
+ tester.test(
+ "SHELL double-quoted spaced",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL= "/bin/bash"\n""",
+ "false"
+ )
+ tester.test(
+ "SHELL bad_var_case",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ Shell="/bin/bash"\n""",
+ "false"
+ )
+ tester.test(
+ "SHELL bad_value_case",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL="/bin/Bash"\n""",
+ "false"
+ )
+ tester.test(
+ "SHELL badly quoted",
+ r"""{{{ oval_check_shell_file(
+ path='CONFIG_FILE',
+ parameter='SHELL',
+ value='/bin/bash',
+ missing_parameter_pass=false,
+ application='',
+ multi_value=false,
+ missing_config_file_fail=false,
+ ) }}}""",
+ """ SHELL="/bin/bash'\n""",
+ "false"
+ )
tester.finish()
diff --git a/tests/unit/bash/test_set_config_file.bats.jinja b/tests/unit/bash/test_set_config_file.bats.jinja
index 3dc2c721d4..4126d0440e 100644
--- a/tests/unit/bash/test_set_config_file.bats.jinja
+++ b/tests/unit/bash/test_set_config_file.bats.jinja
@@ -126,3 +126,59 @@ function call_set_config_file {
rm "$tmp_file"
}
+
+@test "Basic Bash remediation" {
+ tmp_file="$(mktemp)"
+ printf "%s\n" "something=foo" > "$tmp_file"
+ expected_output="something='va lue'\n"
+
+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue") | indent(4) }}}
+
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+ rm "$tmp_file"
+}
+
+@test "Variable remediation - preserve dollar and use double quotes" {
+ tmp_file="$(mktemp)"
+ printf "%s\n" "something=bar" > "$tmp_file"
+ expected_output='something="$value"'"\n"
+
+ {{{ bash_shell_file_set("$tmp_file", "something", '$value') | indent(4) }}}
+
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+ rm "$tmp_file"
+}
+
+@test "Basic Bash remediation - don't quote" {
+ tmp_file="$(mktemp)"
+ printf "%s\n" "something=foo" > "$tmp_file"
+ expected_output="something=va lue\n"
+
+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue", no_quotes=true) | indent(4) }}}
+
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+ rm "$tmp_file"
+}
+
+@test "Variable remediation - don't quote" {
+ tmp_file="$(mktemp)"
+ printf "%s\n" "something=bar" > "$tmp_file"
+ expected_output='something=$value'"\n"
+
+ {{{ bash_shell_file_set("$tmp_file", "something", '$value', no_quotes=true) | indent(4) }}}
+
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
+ echo "$output"
+ [ "$status" -eq 0 ]
+
+ rm "$tmp_file"
+}
From 347e7ab345a35fc3045a886d883d8efe7d9820b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 17 Jan 2020 10:51:02 +0100
Subject: [PATCH 3/7] Added the shell lineinfile template.
---
docs/manual/developer_guide.adoc | 21 +++++++++++++++++
.../template_ANSIBLE_shell_lineinfile | 21 +++++++++++++++++
.../templates/template_BASH_shell_lineinfile | 6 +++++
.../templates/template_OVAL_shell_lineinfile | 10 ++++++++
ssg/templates.py | 23 +++++++++++++++++++
5 files changed, 81 insertions(+)
create mode 100644 shared/templates/template_ANSIBLE_shell_lineinfile
create mode 100644 shared/templates/template_BASH_shell_lineinfile
create mode 100644 shared/templates/template_OVAL_shell_lineinfile
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index aa0a7491c3..b5d22213b7 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -1591,6 +1591,27 @@ service_enabled::
** *daemonname* - name of the daemon. This argument is optional. If *daemonname* is not specified it means the name of the daemon is the same as the name of service.
* Languages: Ansible, Bash, OVAL, Puppet
+shell_lineinfile::
+* Checks shell variable assignments in files.
+Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered.
+The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string.
+* Parameters:
+** *path* - What file to check.
+** *parameter* - name of the shell variable, eg. `SHELL`.
+** *value* - value of the SSH configuration option specified by *parameter*, eg. `"/bin/bash"`. Don't pass extra shell quoting - that will be handled on the lower level.
+** *no_quotes* - If set to `"true"`, the assigned value has to be without quotes during the check and remediation doesn't quote assignments either.
+** *missing_parameter_pass* - If set to `"true"` the OVAL check will pass if the parameter is not present in the target file.
+* Languages: Ansible, Bash, OVAL
+* Example:
+A template invocation specifying that parameter `HISTSIZE` should be set to value `500` in `/etc/profile` will produce a check that passes if any of the following lines are present in `/etc/profile`:
+** `HISTSIZE=500`
+** `HISTSIZE="500"`
+** `HISTSIZE='500'`
++
+The remediation would insert one of the quoted forms if the line was not present.
++
+If the `no_quotes` would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present.
+
sshd_lineinfile::
* Checks SSH server configuration items in `/etc/ssh/sshd_config`.
* Parameters:
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
new file mode 100644
index 0000000000..7d0a3ebcbd
--- /dev/null
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
+{{%- if NO_QUOTES -%}}
+ {{% set msg = "Setting unquoted " ~ msg %}}
+{{%- else -%}}
+ {{% set msg = "Setting shell-quoted " ~ msg %}}
+{{%- endif -%}}
+{{{
+ ansible_shell_set(
+ msg=msg,
+ path=PATH,
+ parameter=PARAMETER,
+ value=VALUE,
+ no_quotes=NO_QUOTES
+ )
+}}}
+
diff --git a/shared/templates/template_BASH_shell_lineinfile b/shared/templates/template_BASH_shell_lineinfile
new file mode 100644
index 0000000000..6bf869d62b
--- /dev/null
+++ b/shared/templates/template_BASH_shell_lineinfile
@@ -0,0 +1,6 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ bash_shell_file_set(path=PATH, parameter=PARAMETER, value=VALUE, no_quotes=NO_QUOTES) }}}
diff --git a/shared/templates/template_OVAL_shell_lineinfile b/shared/templates/template_OVAL_shell_lineinfile
new file mode 100644
index 0000000000..fd05b6b568
--- /dev/null
+++ b/shared/templates/template_OVAL_shell_lineinfile
@@ -0,0 +1,10 @@
+{{{
+oval_check_shell_file(
+ path=PATH,
+ parameter=PARAMETER,
+ value=VALUE,
+ no_quotes=NO_QUOTES,
+ missing_parameter_pass=MISSING_PARAMETER_PASS
+)
+}}}
+
diff --git a/ssg/templates.py b/ssg/templates.py
index f4f56c94e6..c2c82e6c29 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -290,6 +290,29 @@ def sshd_lineinfile(data, lang):
return data
+@template(["ansible", "bash", "oval"])
+def shell_lineinfile(data, lang):
+ value = data["value"]
+ if value[0] in ("'", '"') and value[0] == value[1]:
+ msg = (
+ "Value >>{value}<< of shell variable '{varname}' "
+ "has been supplied with quotes, please fix the content - "
+ "shell quoting is handled by the check/remediation code."
+ .format(value=value, varname=data["parameter"]))
+ raise Exception(msg)
+ missing_parameter_pass = data.get("missing_parameter_pass", "false")
+ if missing_parameter_pass == "true":
+ missing_parameter_pass = True
+ elif missing_parameter_pass == "false":
+ missing_parameter_pass = False
+ data["missing_parameter_pass"] = missing_parameter_pass
+ no_quotes = False
+ if data["no_quotes"] == "true":
+ no_quotes = True
+ data["no_quotes"] = no_quotes
+ return data
+
+
@template(["ansible", "bash", "oval"])
def timer_enabled(data, lang):
if "packagename" not in data:
From ac5d1a8ad511e828e652ce1ca58b06c18f8c083b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 21 Jan 2020 14:13:01 +0100
Subject: [PATCH 4/7] Fixed the templated string evaluation.
---
ssg/templates.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssg/templates.py b/ssg/templates.py
index c2c82e6c29..873f543f41 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -293,7 +293,7 @@ def sshd_lineinfile(data, lang):
@template(["ansible", "bash", "oval"])
def shell_lineinfile(data, lang):
value = data["value"]
- if value[0] in ("'", '"') and value[0] == value[1]:
+ if value[0] in ("'", '"') and value[0] == value[-1]:
msg = (
"Value >>{value}<< of shell variable '{varname}' "
"has been supplied with quotes, please fix the content - "
From 8589574707c63eb3ac4c56674326b70dacfd2ee4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 21 Jan 2020 14:46:39 +0100
Subject: [PATCH 5/7] Fixed jinja macros
- Fixed macro descriptions.
- Fixed Ansible insert_after.
---
shared/macros-ansible.jinja | 18 ++++++++----------
shared/macros-bash.jinja | 2 +-
shared/macros-oval.jinja | 7 +++----
3 files changed, 12 insertions(+), 15 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index c42a5156ce..81e18e2d5c 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -143,22 +143,20 @@
{{#
High level macro to set a value in a shell-related file that contains var assignments. This
- takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
- in the configuration file, and the value to set it to. We specify a case
- sensitive comparison in the prefix since this is used to deduplicate since
+ takes these values:
+ - msg (the name for the Ansible task),
+ - path to the file,
+ - parameter to set in the configuration file, and
+ - value to set it to.
We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
#}}
{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
{{% if no_quotes -%}}
{{%- else -%}}
-{{%- set quotes = "\"'" -%}}
- {{% if "$" in value %}}
- {{% set value = '"%s"' % value %}}
- {{% else %}}
- {{% set value = "'%s'" % value %}}
- {{% endif %}}
+{{# Use the double quotes in all cases, as the underlying macro single-quotes the assignment line. #}}
+{{% set value = '"%s"' % value %}}
{{%- endif -%}}
-{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
+{{{ ansible_set_config_file(msg, path, parameter, separator="=", separator_regex="=", value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^# " ~ parameter) }}}
{{%- endmacro %}}
{{#
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 6c0bb2facc..dc7fd25588 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -18,7 +18,7 @@
value=value,
create=true,
insert_after="",
- insert_before="^Match",
+ insert_before="^#\s*" ~ parameter,
insensitive=false,
separator="=",
separator_regex="=",
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 696cf36db0..cfa9de9d2d 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -233,7 +233,7 @@
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
We specify a case insensitive comparison in the prefix because
sshd_config has case-insensitive parameters (but case-sensitive values).
@@ -250,7 +250,7 @@
- value (String): The variable value WITHOUT QUOTES.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
#}}
{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
{{% if no_quotes -%}}
@@ -268,8 +268,7 @@
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
-
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
#}}
{{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
From af0e3ba8ef2d5b53dcffed4432ec0415a81ab2bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 22 Jan 2020 11:37:39 +0100
Subject: [PATCH 6/7] Shell lineinfile macros and templates style fixes.
---
shared/macros-ansible.jinja | 2 +-
shared/macros-oval.jinja | 10 ++++++++--
shared/templates/template_ANSIBLE_shell_lineinfile | 4 ++--
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 81e18e2d5c..f752e7a2be 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -25,7 +25,7 @@
{{%- elif insert_before %}}
insertbefore: '{{{ insert_before }}}'
{{%- endif %}}
- {{% else %}}
+ {{%- else %}}
state: '{{{ state }}}'
{{%- endif %}}
{{%- if validate %}}
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index cfa9de9d2d..5f391efdcb 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -13,13 +13,16 @@
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
- section (String): If set, the parameter will be checked only within the given section defined by [section].
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
#}}
{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
+{{%- if application == '' -%}}
+ {{%- set application = "The respective application or service" -%}}
+{{%- endif -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
<metadata>
@@ -248,6 +251,9 @@
- path (String): Path to the file.
- parameter (String): The shell variable name.
- value (String): The variable value WITHOUT QUOTES.
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
+ - no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes.
+ If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
@@ -342,7 +348,7 @@
- parameter (String): The parameter to be checked in the configuration file.
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
#}}
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
index 7d0a3ebcbd..3e6c5619ea 100644
--- a/shared/templates/template_ANSIBLE_shell_lineinfile
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
@@ -3,7 +3,7 @@
# strategy = restrict
# complexity = low
# disruption = low
-{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'" -%}}
{{%- if NO_QUOTES -%}}
{{% set msg = "Setting unquoted " ~ msg %}}
{{%- else -%}}
@@ -15,7 +15,7 @@
path=PATH,
parameter=PARAMETER,
value=VALUE,
- no_quotes=NO_QUOTES
+ no_quotes=NO_QUOTES
)
}}}
From a7779d2fae1086838daa1ded483decd499e8749f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 21 Jan 2020 16:43:23 +0100
Subject: [PATCH 7/7] Add a shell_lineinfile template exemplary rule.
---
.../ssh_server/sshd_use_strong_rng/rule.yml | 47 +++++++++++++++++++
.../tests/bad_config.fail.sh | 3 ++
.../tests/good_config.pass.sh | 3 ++
.../tests/no_config.fail.sh | 3 ++
.../sshd_use_strong_rng/tests/quoted.fail.sh | 3 ++
rhel8/profiles/ospp.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
7 files changed, 60 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
new file mode 100644
index 0000000000..4bfb72702b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+# TODO: The plan is not to need this for RHEL>=8.4
+# TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more
+prodtype: rhel8
+
+title: 'SSH server uses strong entropy to seed'
+
+description: |-
+ To set up SSH server to use entropy from a high-quality source, edit the <tt>/etc/sysconfig/sshd</tt> file.
+ The <tt>SSH_USE_STRONG_RNG</tt> configuration value determines how many bytes of entropy to use, so
+ make sure that the file contains line
+ <pre>SSH_USE_STRONG_RNG=32</pre>
+
+rationale: |-
+ SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default.
+ Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors
+ in encryption algorithms, and high-quality entropy elliminates the possibility that the output of
+ the random number generator used by SSH would be known to potential attackers.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82462-3
+
+references:
+ ospp: FIA_AFL.1
+
+ocil: |-
+ To determine whether the SSH service is configured to use strong entropy seed,
+ run <pre>$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd</pre>
+ If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,
+ then the option is set correctly.
+
+ocil_clause: |-
+ The SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd
+
+warnings:
+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available."
+
+template:
+ name: shell_lineinfile
+ vars:
+ path: '/etc/sysconfig/sshd'
+ parameter: 'SSH_USE_STRONG_RNG'
+ value: '32'
+ no_quotes: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
new file mode 100644
index 0000000000..f4f8c22f64
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG=1' > /etc/sysconfig/sshd
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
new file mode 100644
index 0000000000..70f53ac22b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG=32' > /etc/sysconfig/sshd
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
new file mode 100644
index 0000000000..1e5f0b2998
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+rm -f /etc/sysconfig/sshd
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
new file mode 100644
index 0000000000..a10d24a73b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel
+
+echo 'SSH_USE_STRONG_RNG="32"' > /etc/sysconfig/sshd
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index f97527a914..63aea526b7 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -58,6 +58,7 @@ selections:
- sshd_set_keepalive
- sshd_enable_warning_banner
- sshd_rekey_limit
+ - sshd_use_strong_rng
# Time Server
- chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index b665fa1cea..1ff291c7df 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-82462-3
CCE-82463-1
CCE-82464-9
CCE-82465-6

View File

@ -0,0 +1,22 @@
From fc99f5b30e1f6e98eac2382949418532fe0a2230 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 3 Feb 2020 10:55:42 +0100
Subject: [PATCH] Update ISACA COBIT URI.
---
shared/transforms/shared_constants.xslt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/transforms/shared_constants.xslt b/shared/transforms/shared_constants.xslt
index e88922d965..0aed1f6337 100644
--- a/shared/transforms/shared_constants.xslt
+++ b/shared/transforms/shared_constants.xslt
@@ -28,7 +28,7 @@
<xsl:variable name="nistcsfuri">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</xsl:variable>
<xsl:variable name="isa-62443-2013uri">https://www.isa.org/templates/one-column.aspx?pageid=111294&amp;productId=116785</xsl:variable>
<xsl:variable name="isa-62443-2009uri">https://www.isa.org/templates/one-column.aspx?pageid=111294&amp;productId=116731</xsl:variable>
-<xsl:variable name="cobit5uri">http://www.isaca.org/COBIT/Pages/default.aspx</xsl:variable>
+<xsl:variable name="cobit5uri">https://www.isaca.org/resources/cobit</xsl:variable>
<xsl:variable name="cis-cscuri">https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf</xsl:variable>
<xsl:variable name="osppuri">https://www.niap-ccevs.org/Profile/PP.cfm</xsl:variable>
<xsl:variable name="pcidssuri">https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf</xsl:variable>

View File

@ -0,0 +1,124 @@
From 95ae3d5ca08f511ef40503f758dfb02feca29252 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 21 Jan 2020 13:42:35 +0100
Subject: [PATCH 1/2] Update configure_crypto_policy test scenarios
Update test scenarios for OSPP profile, it selects 'FIPS:OSPP' crypto policy,
not 'FIPS'.
---
.../tests/dropin_file_and_symlink_exist.fail.sh | 4 ++--
.../tests/file_exists_but_no_file_in_local_d.fail.sh | 2 +-
.../configure_crypto_policy/tests/missing_nss_config.fail.sh | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
index 693cdb03a9..2de1cf4a3b 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
@@ -1,11 +1,11 @@
#!/bin/bash
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
+# profiles = xccdf_org.ssgproject.content_profile_ospp
# using example of opensshserver
DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
-update-crypto-policies --set FIPS
+update-crypto-policies --set "FIPS:OSPP"
echo "" > "$DROPIN_FILE"
echo "CRYPTO_POLICY=" >> "$DROPIN_FILE"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
index 5935a38eac..428b76879a 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
@@ -5,7 +5,7 @@
#using example of openssh server
CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
-update-crypto-policies --set "FIPS"
+update-crypto-policies --set "FIPS:OSPP"
rm -f /etc/crypto-policies/local.d/opensshserver-*.config
rm -f "$CRYPTO_POLICY_FILE"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
index b165006a8d..97bc4b499c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh
@@ -2,6 +2,6 @@
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-update-crypto-policies --set "FIPS"
+update-crypto-policies --set "FIPS:OSPP"
rm -f "/etc/crypto-policies/back-ends/nss.config"
From dbbd7ecc294ba86544fb96d5a1b06feba9458a28 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 21 Jan 2020 14:07:50 +0100
Subject: [PATCH 2/2] Remove configure_crypto_policy test scenarios
---
.../tests/dropin_file_and_symlink_exist.fail.sh | 11 -----------
.../file_exists_but_no_file_in_local_d.fail.sh | 13 -------------
.../tests/override_policy.pass.sh | 11 -----------
3 files changed, 35 deletions(-)
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
deleted file mode 100644
index 2de1cf4a3b..0000000000
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-# using example of opensshserver
-DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
-
-update-crypto-policies --set "FIPS:OSPP"
-
-echo "" > "$DROPIN_FILE"
-echo "CRYPTO_POLICY=" >> "$DROPIN_FILE"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
deleted file mode 100644
index 428b76879a..0000000000
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-#using example of openssh server
-CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
-
-update-crypto-policies --set "FIPS:OSPP"
-
-rm -f /etc/crypto-policies/local.d/opensshserver-*.config
-rm -f "$CRYPTO_POLICY_FILE"
-
-echo "pretend that we overide the crrypto policy but no related file is in /etc/crypto-policies/local.d, smart, right?" > "$CRYPTO_POLICY_FILE"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
deleted file mode 100644
index ce37abd7ff..0000000000
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-#using openssh server as example
-CRYPTO_POLICY_OVERRIDE_FILE="/etc/crypto-policies/local.d/opensshserver-test.config"
-
-echo "" > "$CRYPTO_POLICY_OVERRIDE_FILE"
-echo "CRYPTO_POLICY=" >> "$CRYPTO_POLICY_OVERRIDE_FILE"
-
-update-crypto-policies --set FIPS:OSPP

View File

@ -0,0 +1,273 @@
From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:16:17 +0100
Subject: [PATCH 1/4] create new rules, add missing reference to older rule
---
.../rule.yml | 26 +++++++++++++++
.../package_openssh-server_installed/rule.yml | 1 +
.../rule.yml | 32 +++++++++++++++++++
.../rule.yml | 29 +++++++++++++++++
5 files changed, 88 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
new file mode 100644
index 0000000000..9b3c55f23b
--- /dev/null
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install OpenSSH client software'
+
+description: |-
+ {{{ describe_package_install(package="openssh-clients") }}}
+
+rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82722-0
+
+references:
+ srg: SRG-OS-000480-GPOS-00227
+ ospp: FIA_UAU.5,FTP_ITC_EXT.1
+
+{{{ complete_ocil_entry_package(package='openssh-clients') }}}
+
+template:
+ name: package_installed
+ vars:
+ pkgname: openssh-clients
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
index c18e604a5c..ba013ec509 100644
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
@@ -28,6 +28,7 @@ references:
cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 13,14
+ ospp: FIA_UAU.5,FTP_ITC_EXT.1
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
new file mode 100644
index 0000000000..6025f0cd33
--- /dev/null
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install policycoreutils-python-utils package'
+
+description: |-
+ {{{ describe_package_install(package="policycoreutils-python-utils") }}}
+
+rationale: |-
+ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
+ with enhanced security functionality designed to add mandatory access controls to Linux.
+ The Security-enhanced Linux kernel contains new architectural components originally
+ developed to improve security of the Flask operating system. These architectural components
+ provide general support for the enforcement of many kinds of mandatory access control
+ policies, including those based on the concepts of Type Enforcement, Role-based Access
+ Control, and Multi-level Security.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82724-6
+
+references:
+ srg: SRG-OS-000480-GPOS-00227
+
+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}}
+
+template:
+ name: package_installed
+ vars:
+ pkgname: policycoreutils-python-utils
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
new file mode 100644
index 0000000000..c418518e7a
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Install crypto-policies package'
+
+description: |-
+ {{{ describe_package_install(package="crypto-policies") }}}
+
+rationale: |-
+ The <tt>crypto-policies</tt> package provides configuration and tools to
+ apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
+
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82723-8
+
+references:
+ ospp: FCS_COP*
+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+
+{{{ complete_ocil_entry_package(package='crypto-policies') }}}
+
+template:
+ name: package_installed
+ vars:
+ pkgname: crypto-policies
From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:18:03 +0100
Subject: [PATCH 2/4] modify ospp profile
---
rhel8/profiles/ospp.profile | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 4d5a9edd8e..c672066050 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -169,17 +169,17 @@ selections:
- package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_iptables_installed
- - package_libcap-ng-utils_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed
- package_rng-tools_installed
- package_sudo_installed
- package_usbguard_installed
- - package_audispd-plugins_installed
- package_scap-security-guide_installed
- package_audit_installed
- - package_gnutls-utils_installed
- - package_nss-tools_installed
+ - package_crypto-policies_installed
+ - package_openssh-server_installed
+ - package_openssh-clients_installed
+ - package_policycoreutils-python-utils_installed
### Remove Prohibited Packages
- package_sendmail_removed
@@ -316,7 +316,7 @@ selections:
## Configure the System to Offload Audit Records to a Log
## Server
## AU-4(1) / FAU_GEN.1.1.c
- - auditd_audispd_syslog_plugin_activated
+ # temporarily dropped
## Set Logon Warning Banner
## AC-8(a) / FMT_MOF_EXT.1
From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 16:18:52 +0100
Subject: [PATCH 3/4] add rules to rhel8 stig profile
---
rhel8/profiles/stig.profile | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 821cc26914..7eb1869a3c 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -33,6 +33,9 @@ selections:
- encrypt_partitions
- sysctl_net_ipv4_tcp_syncookies
- clean_components_post_updating
+ - package_audispd-plugins_installed
+ - package_libcap-ng-utils_installed
+ - auditd_audispd_syslog_plugin_activated
# Configure TLS for remote logging
- package_rsyslog_installed
From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 10 Feb 2020 17:42:43 +0100
Subject: [PATCH 4/4] rephrase some rationales, fix SFR
---
.../ssh/package_openssh-clients_installed/rule.yml | 4 +++-
.../rule.yml | 9 ++-------
.../crypto/package_crypto-policies_installed/rule.yml | 8 ++++----
3 files changed, 9 insertions(+), 12 deletions(-)
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
index 9b3c55f23b..f5b29d32e8 100644
--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software'
description: |-
{{{ describe_package_install(package="openssh-clients") }}}
-rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
+rationale: |-
+ This package includes utilities to make encrypted connections and transfer
+ files securely to SSH servers.
severity: medium
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
index 6025f0cd33..7ae7461077 100644
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
@@ -8,13 +8,8 @@ description: |-
{{{ describe_package_install(package="policycoreutils-python-utils") }}}
rationale: |-
- Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
- with enhanced security functionality designed to add mandatory access controls to Linux.
- The Security-enhanced Linux kernel contains new architectural components originally
- developed to improve security of the Flask operating system. These architectural components
- provide general support for the enforcement of many kinds of mandatory access control
- policies, including those based on the concepts of Type Enforcement, Role-based Access
- Control, and Multi-level Security.
+ This package is required to operate and manage an SELinux environment and its policies.
+ It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.
severity: medium
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
index c418518e7a..bb07f9d617 100644
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -8,9 +8,9 @@ description: |-
{{{ describe_package_install(package="crypto-policies") }}}
rationale: |-
- The <tt>crypto-policies</tt> package provides configuration and tools to
- apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
-
+ Centralized cryptographic policies simplify applying secure ciphers across an operating system and
+ the applications that run on that operating system. Use of weak or untested encryption algorithms
+ undermines the purposes of utilizing encryption to protect data.
severity: medium
@@ -18,7 +18,7 @@ identifiers:
cce@rhel8: 82723-8
references:
- ospp: FCS_COP*
+ ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4)
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
{{{ complete_ocil_entry_package(package='crypto-policies') }}}

View File

@ -1,13 +1,30 @@
Name: scap-security-guide
Version: 0.1.46
Release: 1%{?dist}
Version: 0.1.48
Release: 7%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch
Patch2: scap-security-guide-0.1.49-max-path-len-skip-logs.patch
Patch3: scap-security-guide-0.1.49-drop-rsyslog-rules.patch
Patch4: scap-security-guide-0.1.49-update-cobit-uri.patch
Patch5: scap-security-guide-0.1.49-ssh-use-strong-rng.patch
Patch6: scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch
Patch7: scap-security-guide-0.1.49-add-stig-kickstart.patch
Patch8: scap-security-guide-0.1.49-add-rsyslog-to-stig.patch
Patch9: scap-security-guide-0.1.49-add-few-srg-mappings.patch
# Patch10 was generated from squashed commit to prevent 'cannot find file to patch' situations
# from https://github.com/ComplianceAsCode/content/pull/5110
# HEAD 210ee56aab3f831c96810ca42189642274bd735f
Patch10: scap-security-guide-0.1.49-split-audit-rules.patch
Patch11: scap-security-guide-0.1.49-fix-remaining-srgs.patch
# Patch 12 and 13 had changes to file cce-redhat-avail.txt stripped out, to ease application of patch
Patch12: scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch
Patch13: scap-security-guide-0.1.49-add-cce-openssh-server.patch
BuildArch: noarch
# To get python3 inside the buildroot require its path explicitly in BuildRequires
@ -42,6 +59,19 @@ present in %{name} package.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
mkdir build
%build
@ -76,6 +106,45 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
- Update baseline package list of OSPP profile
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
- Rebuilt with correct spec file
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
- Add SRG references to STIG rules (RHBZ#1755447)
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
- Drop rsyslog rules from OSPP profile
- Update COBIT URI
- Add rules for strong source of RNG entropy
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
- STIG profile: added rsyslog rules and updated SRG mappings
- Split audit rules according to audit component (RHBZ#1791312)
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
- Update crypto-policy test scenarios
- Update max-path-len test to skip tests/logs directory
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
- Fix list of tables that are generated for RHEL8
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Improved the e8 profile (RHBZ#1755194)
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)