Merge branch 'c8' into a8
This commit is contained in:
commit
5d623aa88d
41
SOURCES/reorder-reference-in-alphabetical-order.patch
Normal file
41
SOURCES/reorder-reference-in-alphabetical-order.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 628cbacb76e9950528359038cf3237ac7166f0b7 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 14 Mar 2022 12:57:26 +0100
|
||||
Subject: [PATCH] Reorder reference in alphabetical order.
|
||||
|
||||
---
|
||||
.../integrity/crypto/configure_bind_crypto_policy/rule.yml | 2 +-
|
||||
.../software/integrity/crypto/configure_crypto_policy/rule.yml | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||||
index e58c950..8d73d9d 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||||
@@ -29,8 +29,8 @@ identifiers:
|
||||
references:
|
||||
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1
|
||||
nist: SC-13,SC-12(2),SC-12(3)
|
||||
- stigid@rhel8: RHEL-08-010020
|
||||
srg: SRG-OS-000423-GPOS-00187,SRG-OS-000426-GPOS-00190
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
|
||||
ocil_clause: |-
|
||||
BIND is installed and the BIND config file doesn't contain the
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||||
index 5eea87a..a5a8df3 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||||
@@ -65,8 +65,8 @@ references:
|
||||
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
|
||||
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
|
||||
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
|
||||
- stigid@rhel8: RHEL-08-010020
|
||||
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
|
||||
ocil_clause: 'cryptographic policy is not configured or is configured incorrectly'
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
199
SOURCES/scap-security-guide-0.1.58-BZ_1942281-PR_7471.patch
Normal file
199
SOURCES/scap-security-guide-0.1.58-BZ_1942281-PR_7471.patch
Normal file
@ -0,0 +1,199 @@
|
||||
From 2cbc694687190cadb155c5582f93a8cf91ebdc4c Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 26 Aug 2021 15:04:46 +0200
|
||||
Subject: [PATCH] Bug 1942281 - Set postfix rules to notapplicable when package
|
||||
is not installed
|
||||
|
||||
---
|
||||
.../rule.yml | 2 ++
|
||||
.../rule.yml | 2 ++
|
||||
.../services/mail/postfix_harden_os/group.yml | 2 ++
|
||||
.../rule.yml | 3 ++-
|
||||
products/rhel8/profiles/stig.profile | 4 +---
|
||||
products/rhel9/profiles/stig.profile | 4 +---
|
||||
shared/applicability/general.yml | 5 +++++
|
||||
.../installed_env_has_postfix_package.xml | 20 +++++++++++++++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
.../data/profile_stability/rhel8/stig.profile | 3 ++-
|
||||
.../profile_stability/rhel8/stig_gui.profile | 3 ++-
|
||||
11 files changed, 39 insertions(+), 10 deletions(-)
|
||||
create mode 100644 shared/checks/oval/installed_env_has_postfix_package.xml
|
||||
|
||||
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
|
||||
index 0faafeb0c2f..4b440e79845 100644
|
||||
--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
|
||||
+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
|
||||
@@ -21,3 +21,5 @@ ocil: |-
|
||||
Run the following command to ensure postfix routes mail to this system:
|
||||
<pre>$ grep relayhost /etc/postfix/main.cf</pre>
|
||||
If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.
|
||||
+
|
||||
+platform: postfix
|
||||
diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
||||
index 096020ef687..579db484976 100644
|
||||
--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
||||
+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
|
||||
@@ -42,3 +42,5 @@ ocil: |-
|
||||
Run the following command to ensure postfix accepts mail messages from only the local system:
|
||||
<pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
|
||||
If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.
|
||||
+
|
||||
+platform: postfix
|
||||
diff --git a/linux_os/guide/services/mail/postfix_harden_os/group.yml b/linux_os/guide/services/mail/postfix_harden_os/group.yml
|
||||
index 19b662508bd..8a415425e7d 100644
|
||||
--- a/linux_os/guide/services/mail/postfix_harden_os/group.yml
|
||||
+++ b/linux_os/guide/services/mail/postfix_harden_os/group.yml
|
||||
@@ -6,3 +6,5 @@ description: |-
|
||||
The guidance in this section is appropriate for any host which is
|
||||
operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
|
||||
or some other software.
|
||||
+
|
||||
+platform: postfix
|
||||
diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
|
||||
index 9b4c7656a85..75e4133b119 100644
|
||||
--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
|
||||
+++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,wrlinux1019
|
||||
|
||||
title: 'Prevent Unrestricted Mail Relaying'
|
||||
|
||||
@@ -19,6 +19,7 @@ severity: medium
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80512-7
|
||||
cce@rhel8: CCE-84054-6
|
||||
+ cce@rhel9: CCE-87232-5
|
||||
|
||||
references:
|
||||
disa: CCI-000366
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index d31b251645b..5e9a2216fcd 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -1160,9 +1160,7 @@ selections:
|
||||
- sysctl_net_core_bpf_jit_harden
|
||||
|
||||
# RHEL-08-040290
|
||||
- # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
|
||||
- # there needs to be a new platform check to identify when postfix is installed or not
|
||||
- # - postfix_prevent_unrestricted_relay
|
||||
+ - postfix_prevent_unrestricted_relay
|
||||
|
||||
# RHEL-08-040300
|
||||
- aide_verify_ext_attributes
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index a40d848ee67..8d60468528d 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -1030,9 +1030,7 @@ selections:
|
||||
- sysctl_net_ipv4_conf_all_rp_filter
|
||||
|
||||
# RHEL-08-040290
|
||||
- # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
|
||||
- # there needs to be a new platform check to identify when postfix is installed or not
|
||||
- # - postfix_prevent_unrestricted_relay
|
||||
+ - postfix_prevent_unrestricted_relay
|
||||
|
||||
# RHEL-08-040300
|
||||
- aide_verify_ext_attributes
|
||||
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
||||
index 6e3ecfd9bf9..4163a07cbad 100644
|
||||
--- a/shared/applicability/general.yml
|
||||
+++ b/shared/applicability/general.yml
|
||||
@@ -44,6 +44,11 @@ cpes:
|
||||
title: "Package pam is installed"
|
||||
check_id: installed_env_has_pam_package
|
||||
|
||||
+ - postfix:
|
||||
+ name: "cpe:/a:postfix"
|
||||
+ title: "Package postfix is installed"
|
||||
+ check_id: installed_env_has_postfix_package
|
||||
+
|
||||
- sssd:
|
||||
name: "cpe:/a:sssd"
|
||||
title: "Package sssd-common is installed"
|
||||
diff --git a/shared/checks/oval/installed_env_has_postfix_package.xml b/shared/checks/oval/installed_env_has_postfix_package.xml
|
||||
new file mode 100644
|
||||
index 00000000000..95ad355147b
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_has_postfix_package.xml
|
||||
@@ -0,0 +1,20 @@
|
||||
+<def-group>
|
||||
+
|
||||
+ <definition class="inventory"
|
||||
+ id="installed_env_has_postfix_package" version="1">
|
||||
+ <metadata>
|
||||
+ <title>Package postfix is installed</title>
|
||||
+ <affected family="unix">
|
||||
+ <platform>multi_platform_all</platform>
|
||||
+ </affected>
|
||||
+ <description>Checks if package postfix is installed.</description>
|
||||
+ <reference ref_id="cpe:/a:postfix" source="CPE" />
|
||||
+ </metadata>
|
||||
+ <criteria>
|
||||
+ <criterion comment="Package postfix is installed" test_ref="test_env_has_postfix_installed" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ {{{ oval_test_package_installed(package='postfix', evr='', test_id='test_env_has_postfix_installed') }}}
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index ee4c156b79c..29fe687600c 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -1314,7 +1314,6 @@ CCE-87228-3
|
||||
CCE-87229-1
|
||||
CCE-87230-9
|
||||
CCE-87231-7
|
||||
-CCE-87232-5
|
||||
CCE-87233-3
|
||||
CCE-87234-1
|
||||
CCE-87235-8
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index ba596f86f83..ca0097b844b 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -64,8 +64,8 @@ selections:
|
||||
- accounts_user_home_paths_only
|
||||
- accounts_user_interactive_home_directory_defined
|
||||
- accounts_user_interactive_home_directory_exists
|
||||
-- aide_check_audit_tools
|
||||
- agent_mfetpd_running
|
||||
+- aide_check_audit_tools
|
||||
- aide_scan_notification
|
||||
- aide_verify_acls
|
||||
- aide_verify_ext_attributes
|
||||
@@ -304,6 +304,7 @@ selections:
|
||||
- partition_for_var_log_audit
|
||||
- partition_for_var_tmp
|
||||
- postfix_client_configure_mail_alias
|
||||
+- postfix_prevent_unrestricted_relay
|
||||
- require_emergency_target_auth
|
||||
- require_singleuser_auth
|
||||
- root_permissions_syslibrary_files
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 9db93027011..3533208c4a5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -75,8 +75,8 @@ selections:
|
||||
- accounts_user_home_paths_only
|
||||
- accounts_user_interactive_home_directory_defined
|
||||
- accounts_user_interactive_home_directory_exists
|
||||
-- aide_check_audit_tools
|
||||
- agent_mfetpd_running
|
||||
+- aide_check_audit_tools
|
||||
- aide_scan_notification
|
||||
- aide_verify_acls
|
||||
- aide_verify_ext_attributes
|
||||
@@ -315,6 +315,7 @@ selections:
|
||||
- partition_for_var_log_audit
|
||||
- partition_for_var_tmp
|
||||
- postfix_client_configure_mail_alias
|
||||
+- postfix_prevent_unrestricted_relay
|
||||
- require_emergency_target_auth
|
||||
- require_singleuser_auth
|
||||
- root_permissions_syslibrary_files
|
375
SOURCES/scap-security-guide-0.1.58-RHEL_08_010400-PR_7411.patch
Normal file
375
SOURCES/scap-security-guide-0.1.58-RHEL_08_010400-PR_7411.patch
Normal file
@ -0,0 +1,375 @@
|
||||
From f027c56e45e703663c25dea18f78111d5d8a7e0f Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Thu, 19 Aug 2021 11:16:08 -0500
|
||||
Subject: [PATCH] Added rule for RHEL-08-010400
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 27 +++++++++++++
|
||||
.../bash/shared.sh | 33 +++++++++++++++
|
||||
.../oval/shared.xml | 30 ++++++++++++++
|
||||
.../sssd_certificate_verification/rule.yml | 40 +++++++++++++++++++
|
||||
.../tests/correct_value.pass.sh | 6 +++
|
||||
.../tests/correct_with_others_before.pass.sh | 6 +++
|
||||
.../tests/not_configured.fail.sh | 5 +++
|
||||
.../tests/partial_config.fail.sh | 6 +++
|
||||
.../tests/wrong_section.fail.sh | 6 +++
|
||||
.../tests/wrong_value.fail.sh | 6 +++
|
||||
...rtificate_verification_digest_function.var | 20 ++++++++++
|
||||
products/rhel8/profiles/stig.profile | 2 +
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
.../data/profile_stability/rhel8/stig.profile | 4 +-
|
||||
.../profile_stability/rhel8/stig_gui.profile | 4 +-
|
||||
15 files changed, 193 insertions(+), 3 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
|
||||
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
|
||||
create mode 100644 linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
|
||||
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..8e36f0974fd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
|
||||
@@ -0,0 +1,27 @@
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+
|
||||
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
|
||||
+ ini_file:
|
||||
+ path: /etc/sssd/sssd.conf
|
||||
+ section: sssd
|
||||
+ option: certificate_verification
|
||||
+ state: absent
|
||||
+
|
||||
+- name: 'Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf'
|
||||
+ ini_file:
|
||||
+ path: /etc/sssd/conf.d/*.conf
|
||||
+ section: sssd
|
||||
+ option: certificate_verification
|
||||
+ state: absent
|
||||
+
|
||||
+- name: Ensure that "certificate_verification" is set
|
||||
+ ini_file:
|
||||
+ path: /etc/sssd/conf.d/certificate_verification.conf
|
||||
+ section: sssd
|
||||
+ option: certificate_verification
|
||||
+ value: "ocsp_dgst = sha1"
|
||||
+ state: present
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..8f9e5514480
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
|
||||
@@ -0,0 +1,33 @@
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+
|
||||
+# include our remediation functions library
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+{{{ bash_instantiate_variables("var_sssd_certificate_verification_digest_function") }}}
|
||||
+
|
||||
+found=false
|
||||
+for f in /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf; do
|
||||
+ if [ ! -e "$f" ]; then
|
||||
+ continue
|
||||
+ fi
|
||||
+ cert=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1} f{nu=gensub("^\\s*certificate_verification\\s*=\\s*ocsp_dgst\\s*=\\s*(\\w+).*","\\1",1); if($0!=nu){cert=nu}} END{print cert}' "$f" )
|
||||
+ if [ -n "$cert" ] ; then
|
||||
+ if [ "$cert" != $var_sssd_certificate_verification_digest_function ] ; then
|
||||
+ sed -i "s/^certificate_verification\s*=.*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
|
||||
+ fi
|
||||
+ found=true
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+if ! $found ; then
|
||||
+ SSSD_CONF="/etc/sssd/conf.d/certificate_verification.conf"
|
||||
+ mkdir -p $( dirname $SSSD_CONF )
|
||||
+ touch $SSSD_CONF
|
||||
+ chown root:root $SSSD_CONF
|
||||
+ chmod 600 $SSSD_CONF
|
||||
+ echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> $SSSD_CONF
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..77736f54f03
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
|
||||
@@ -0,0 +1,30 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("SSSD should be configured with the correct ocsp_dgst
|
||||
+ digest function") }}}
|
||||
+ <criteria>
|
||||
+ <criterion comment="check value of certificate_verification in sssd configuration"
|
||||
+ test_ref="test_{{{rule_id}}}" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="test the value of
|
||||
+ certificate_verification in sssd configuration" id="test_{{{rule_id}}}" version="1">
|
||||
+ <ind:object object_ref="obj_{{{rule_id}}}" />
|
||||
+ <ind:state state_ref="state_{{{rule_id}}}" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_{{{rule_id}}}" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/sssd/(sssd|conf\.d/.*)\.conf$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*\[sssd](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*ocsp_dgst\s*=\s*(\w+)$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_state comment="value of certificate_verification" id="state_{{{rule_id}}}" version="1">
|
||||
+ <ind:subexpression operation="equals" var_check="all"
|
||||
+ var_ref="var_sssd_certificate_verification_digest_function" />
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
+ <external_variable comment="certificate_verification value" datatype="string"
|
||||
+ id="var_sssd_certificate_verification_digest_function" version="1" />
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..182e75a2aab
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
|
||||
@@ -0,0 +1,40 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,rhel8
|
||||
+
|
||||
+title: 'Certificate certificate status checking in SSSD'
|
||||
+
|
||||
+description: |-
|
||||
+ Multifactor solutions that require devices separate from information systems gaining access include,
|
||||
+ for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
|
||||
+ By configuring <tt>certificate_verification</tt> to <tt>ocsp_dgst=sha1</tt> sures that certificates for
|
||||
+ multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
|
||||
+
|
||||
+rationale: |-
|
||||
+ Enusring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
|
||||
+ ensures the security of the system.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: CCE-86120-3
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001948
|
||||
+ nist: IA-2(11)
|
||||
+ srg: SRG-OS-000375-GPOS-00160,SRG-OS-000377-GPOS-00162
|
||||
+ stigid@rhel8: RHEL-08-010400
|
||||
+
|
||||
+
|
||||
+ocil_clause: 'certificate_verification in sssd is not configured'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Check to see if Online Certificate Status Protocol (OCSP)
|
||||
+ is enabled and using the proper digest value on the system with the following command:
|
||||
+ <pre>$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"</pre>
|
||||
+ If configured properly, output should look like
|
||||
+ <pre>
|
||||
+ certificate_verification = ocsp_dgst=sha1
|
||||
+ </pre>
|
||||
+ The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
|
||||
+ <pre>$ sudo systemctl restart sssd.service</pre>
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..24c19f44fdc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = sssd-common
|
||||
+
|
||||
+mkdir -p /etc/sssd/conf.d
|
||||
+touch /etc/sssd/sssd.conf
|
||||
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..982450fc81b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = sssd-common
|
||||
+
|
||||
+mkdir -p /etc/sssd/conf.d
|
||||
+touch /etc/sssd/sssd.conf
|
||||
+echo -e "[sssd]\ndifferent_option = test\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ed011f9d4bc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+# packages = sssd-common
|
||||
+
|
||||
+mkdir -p /etc/sssd/conf.d
|
||||
+touch /etc/sssd/sssd.conf
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..3c7c468b9d5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = sssd-common
|
||||
+
|
||||
+mkdir -p /etc/sssd/conf.d
|
||||
+touch /etc/sssd/sssd.conf
|
||||
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=" >> /etc/sssd/sssd.conf
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..635ca4bebcc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = sssd-common
|
||||
+
|
||||
+mkdir -p /etc/sssd/conf.d
|
||||
+touch /etc/sssd/sssd.conf
|
||||
+echo -e "[ssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
|
||||
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..93f363edc04
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = sssd-common
|
||||
+
|
||||
+mkdir -p /etc/sssd/conf.d
|
||||
+touch /etc/sssd/sssd.conf
|
||||
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha256" >> /etc/sssd/sssd.conf
|
||||
diff --git a/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
|
||||
new file mode 100644
|
||||
index 00000000000..cdbd0a13576
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
|
||||
@@ -0,0 +1,20 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'SSSD certificate_verification option'
|
||||
+
|
||||
+description: |-
|
||||
+ Value of the certificate_verification option in
|
||||
+ the SSSD config.
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+interactive: true
|
||||
+
|
||||
+options:
|
||||
+ sha1: sha1
|
||||
+ sha256: sha256
|
||||
+ sha384: sha384
|
||||
+ sha512: sha512
|
||||
+ default: sha1
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 9dc9360e899..5b1f709faaf 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -70,6 +70,7 @@ selections:
|
||||
- var_auditd_disk_error_action=halt
|
||||
- var_auditd_max_log_file_action=syslog
|
||||
- var_auditd_disk_full_action=halt
|
||||
+ - var_sssd_certificate_verification_digest_function=sha1
|
||||
|
||||
### Enable / Configure FIPS
|
||||
- enable_fips_mode
|
||||
@@ -275,6 +276,7 @@ selections:
|
||||
- install_smartcard_packages
|
||||
|
||||
# RHEL-08-010400
|
||||
+ - sssd_certificate_verification
|
||||
|
||||
# RHEL-08-010410
|
||||
- package_opensc_installed
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 3b24e19da06..81f94f7dbca 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -236,7 +236,6 @@ CCE-86116-1
|
||||
CCE-86117-9
|
||||
CCE-86118-7
|
||||
CCE-86119-5
|
||||
-CCE-86120-3
|
||||
CCE-86121-1
|
||||
CCE-86122-9
|
||||
CCE-86123-7
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index e9ba0f0adbf..baef93bba64 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -342,6 +342,7 @@ selections:
|
||||
- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
+- sssd_certificate_verification
|
||||
- sssd_enable_certmap
|
||||
- sssd_enable_smartcards
|
||||
- sssd_offline_cred_expiration
|
||||
@@ -410,6 +411,7 @@ selections:
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
+- var_accounts_authorized_local_users_regex=rhel8
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=never
|
||||
@@ -425,7 +427,7 @@ selections:
|
||||
- var_auditd_disk_error_action=halt
|
||||
- var_auditd_max_log_file_action=syslog
|
||||
- var_auditd_disk_full_action=halt
|
||||
-- var_accounts_authorized_local_users_regex=rhel8
|
||||
+- var_sssd_certificate_verification_digest_function=sha1
|
||||
- var_system_crypto_policy=fips
|
||||
- var_sudo_timestamp_timeout=always_prompt
|
||||
title: DISA STIG for Red Hat Enterprise Linux 8
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index c8540f9392e..237f66c721f 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -353,6 +353,7 @@ selections:
|
||||
- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
+- sssd_certificate_verification
|
||||
- sssd_enable_certmap
|
||||
- sssd_enable_smartcards
|
||||
- sssd_offline_cred_expiration
|
||||
@@ -420,6 +421,7 @@ selections:
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
+- var_accounts_authorized_local_users_regex=rhel8
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=never
|
||||
@@ -435,7 +437,7 @@ selections:
|
||||
- var_auditd_disk_error_action=halt
|
||||
- var_auditd_max_log_file_action=syslog
|
||||
- var_auditd_disk_full_action=halt
|
||||
-- var_accounts_authorized_local_users_regex=rhel8
|
||||
+- var_sssd_certificate_verification_digest_function=sha1
|
||||
- var_system_crypto_policy=fips
|
||||
- var_sudo_timestamp_timeout=always_prompt
|
||||
title: DISA STIG with GUI for Red Hat Enterprise Linux 8
|
@ -0,0 +1,23 @@
|
||||
From 91fb54a2e5e52d789f786fefbe711e7250470437 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 16 Sep 2021 19:45:26 +0200
|
||||
Subject: [PATCH] Force masking of ctrl-alt-del.target
|
||||
|
||||
Without forcing the remediation it never converges.
|
||||
The target is stopped but not masked.
|
||||
---
|
||||
.../disable_ctrlaltdel_reboot/ansible/shared.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
|
||||
index 8ea1de865ae..30f06a8751c 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
|
||||
@@ -7,6 +7,7 @@
|
||||
- name: Disable Ctrl-Alt-Del Reboot Activation
|
||||
systemd:
|
||||
name: ctrl-alt-del.target
|
||||
+ force: yes
|
||||
masked: yes
|
||||
state: stopped
|
||||
|
@ -0,0 +1,33 @@
|
||||
From 69eb6ab86201b5566595b3b6ac12f643dcd9e0ca Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 16 Sep 2021 14:59:27 +0200
|
||||
Subject: [PATCH] Fix typo in rsyslog streamdriver remediations
|
||||
|
||||
The Ansible remediations don't need to escape '$'.
|
||||
---
|
||||
.../ansible/shared.yml | 2 +-
|
||||
.../ansible/shared.yml | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
|
||||
index bbd27a00611..5d11103fc0f 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
|
||||
@@ -5,5 +5,5 @@
|
||||
# disruption = low
|
||||
|
||||
{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
|
||||
- parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
|
||||
+ parameter="$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
|
||||
}}}
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
index b215daaef4b..035ab152876 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
@@ -5,5 +5,5 @@
|
||||
# disruption = low
|
||||
|
||||
{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
|
||||
- parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
|
||||
+ parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
|
||||
}}}
|
1837
SOURCES/scap-security-guide-0.1.58-templated_tests-PR_7211.patch
Normal file
1837
SOURCES/scap-security-guide-0.1.58-templated_tests-PR_7211.patch
Normal file
File diff suppressed because it is too large
Load Diff
841
SOURCES/scap-security-guide-0.1.59-BZ1884687-PR_7770.patch
Normal file
841
SOURCES/scap-security-guide-0.1.59-BZ1884687-PR_7770.patch
Normal file
@ -0,0 +1,841 @@
|
||||
commit 549241cec9404bd211a580454fdd28cb72dfe520
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu Feb 24 17:24:17 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.59-BZ1884687-PR_7770.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000..09d1984
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/ansible/shared.yml
|
||||
@@ -0,0 +1,31 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Get all local users from /etc/passwd
|
||||
+ ansible.builtin.getent:
|
||||
+ database: passwd
|
||||
+ split: ':'
|
||||
+
|
||||
+- name: Create local_users variable from the getent output
|
||||
+ ansible.builtin.set_fact:
|
||||
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
+
|
||||
+- name: Test for existence of home directories to avoid creating them, but only fixing group ownership
|
||||
+ ansible.builtin.stat:
|
||||
+ path: '{{ item.value[4] }}'
|
||||
+ register: path_exists
|
||||
+ loop: '{{ local_users }}'
|
||||
+ when:
|
||||
+ - item.value[2]|int >= {{{ gid_min }}}
|
||||
+ - item.value[2]|int != 65534
|
||||
+
|
||||
+- name: Ensure interactive local users are the group-owners of their respective home directories
|
||||
+ ansible.builtin.file:
|
||||
+ path: '{{ item.0.value[4] }}'
|
||||
+ group: '{{ item.0.value[2] }}'
|
||||
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
|
||||
+ when:
|
||||
+ - item.1.stat is defined and item.1.stat.exists
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..08f7307
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+awk -F':' '{ if ($4 >= {{{ gid_min }}} && $4 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..a1d1f2e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/oval/shared.xml
|
||||
@@ -0,0 +1,89 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("All interactive user's Home Directories must be group-owned by its user") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion test_ref="test_file_groupownership_home_directories"
|
||||
+ comment="All interactive user's Home Directories must be group-owned by its user"/>
|
||||
+ <criterion test_ref="test_file_groupownership_home_directories_duplicated"
|
||||
+ comment="Interactive users should group-own only one Home Directory"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <!-- For detailed comments about logic used in this OVAL, check the
|
||||
+ "file_ownership_home_directories" rule. -->
|
||||
+ <unix:password_object id="object_file_groupownership_home_directories_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_file_groupownership_home_directories_interactive_gids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_file_groupownership_home_directories_interactive_gids" version="1">
|
||||
+ <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <!-- #### prepare for test_file_groupownership_home_directories #### -->
|
||||
+ <local_variable id="var_file_groupownership_home_directories_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from primary interactive groups">
|
||||
+ <object_component item_field="home_dir" object_ref="object_file_groupownership_home_directories_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <local_variable id="var_file_groupownership_home_directories_gids" datatype="int" version="1"
|
||||
+ comment="Variable including all gids from primary interactive group">
|
||||
+ <object_component item_field="group_id" object_ref="object_file_groupownership_home_directories_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <unix:file_object id="object_file_groupownership_home_directories_dirs" version="1">
|
||||
+ <unix:path var_ref="var_file_groupownership_home_directories_dirs" var_check="at least one"/>
|
||||
+ <unix:filename xsi:nil="true"/>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:file_state id="state_file_groupownership_home_directories_gids" version="1">
|
||||
+ <unix:group_id datatype="int" var_check="only one" var_ref="var_file_groupownership_home_directories_gids"/>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <!-- #### creatin of test_file_groupownership_home_directories #### -->
|
||||
+ <unix:file_test id="test_file_groupownership_home_directories" check="all" check_existence="any_exist"
|
||||
+ version="1" comment="All home directories are group-owned by a local interactive group">
|
||||
+ <unix:object object_ref="object_file_groupownership_home_directories_dirs"/>
|
||||
+ <unix:state state_ref="state_file_groupownership_home_directories_gids"/>
|
||||
+ </unix:file_test>
|
||||
+
|
||||
+ <!-- #### prepare for test_file_groupownership_home_directories_duplicated #### -->
|
||||
+ <local_variable id="var_file_groupownership_home_directories_gids_count" datatype="int" version="1"
|
||||
+ comment="Variable including count of gids from interactive group-owners">
|
||||
+ <count>
|
||||
+ <object_component item_field="group_id" object_ref="object_file_groupownership_home_directories_dirs"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <local_variable id="var_file_groupownership_home_directories_gids_count_uniq" datatype="int" version="1"
|
||||
+ comment="Variable including count of uniq gids from interactive group-owners">
|
||||
+ <count>
|
||||
+ <unique>
|
||||
+ <object_component item_field="group_id" object_ref="object_file_groupownership_home_directories_dirs"/>
|
||||
+ </unique>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <ind:variable_object id="object_file_groupownership_home_directories_gids_count" version="1">
|
||||
+ <ind:var_ref>var_file_groupownership_home_directories_gids_count</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <!-- #### creation of state_no_duplicate_groupowners #### -->
|
||||
+ <ind:variable_state id="state_file_groupownership_home_directories_gids_count_uniq" version="1">
|
||||
+ <ind:value datatype="int" operation="equals" var_check="at least one"
|
||||
+ var_ref="var_file_groupownership_home_directories_gids_count_uniq"/>
|
||||
+ </ind:variable_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <ind:variable_test id="test_file_groupownership_home_directories_duplicated" check="all"
|
||||
+ check_existence="any_exist" version="1"
|
||||
+ comment="It should not exist duplicated group-owners of home dirs">
|
||||
+ <ind:object object_ref="object_file_groupownership_home_directories_gids_count"/>
|
||||
+ <ind:state state_ref="state_file_groupownership_home_directories_gids_count_uniq"/>
|
||||
+ </ind:variable_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
index 2e6ce60..e33660f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
||||
@@ -10,6 +10,10 @@ description: |-
|
||||
interactive users home directory, use the following command:
|
||||
<pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i></pre>
|
||||
|
||||
+ This rule ensures every home directory related to an interactive user is
|
||||
+ group-owned by an interactive user. It also ensures that interactive users
|
||||
+ are group-owners of one and only one home directory.
|
||||
+
|
||||
rationale: |-
|
||||
If the Group Identifier (GID) of a local interactive users home directory is
|
||||
not the same as the primary GID of the user, this would allow unauthorized
|
||||
@@ -42,3 +46,9 @@ ocil: |-
|
||||
To verify the assigned home directory of all interactive users is group-
|
||||
owned by that users primary GID, run the following command:
|
||||
<pre># ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ Due to OVAL limitation, this rule can report a false negative in a
|
||||
+ specific situation where two interactive users swap the group-ownership
|
||||
+ of their respective home directories.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..1605339
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/expected_groupowner.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chgrp $USER /home/$USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..af24025
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_all_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..5bce517
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_one_absent.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -M $USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..9d0f765
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/home_dirs_with_same_groupowner.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+# Define the same owner for two home directories
|
||||
+chgrp $USER1 /home/$USER1
|
||||
+chgrp $USER1 /home/$USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..ed34f09
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..c1a87c1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chgrp 2 /home/$USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..d352011
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chgrp 10005 /home/$USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..0cffa4a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_crossed_groupowner.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+# Define the same owner for two home directories
|
||||
+chgrp $USER2 /home/$USER1
|
||||
+chgrp $USER1 /home/$USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..3e5b778
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/warning_home_dirs_swapped_groupowner.pass.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+# Swap the group-ownership of two home directories
|
||||
+# WARNING: This test scenario will report a false negative, as explained in the
|
||||
+# warning section of this rule.
|
||||
+chgrp $USER2 /home/$USER1
|
||||
+chgrp $USER1 /home/$USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000..97d4274
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/ansible/shared.yml
|
||||
@@ -0,0 +1,31 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Get all local users from /etc/passwd
|
||||
+ ansible.builtin.getent:
|
||||
+ database: passwd
|
||||
+ split: ':'
|
||||
+
|
||||
+- name: Create local_users variable from the getent output
|
||||
+ ansible.builtin.set_fact:
|
||||
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
+
|
||||
+- name: Test for existence home directories to avoid creating them, but only fixing ownership
|
||||
+ ansible.builtin.stat:
|
||||
+ path: '{{ item.value[4] }}'
|
||||
+ register: path_exists
|
||||
+ loop: '{{ local_users }}'
|
||||
+ when:
|
||||
+ - item.value[1]|int >= {{{ uid_min }}}
|
||||
+ - item.value[1]|int != 65534
|
||||
+
|
||||
+- name: Ensure interactive local users are the owners of their respective home directories
|
||||
+ ansible.builtin.file:
|
||||
+ path: '{{ item.0.value[4] }}'
|
||||
+ owner: '{{ item.0.value[1] }}'
|
||||
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
|
||||
+ when:
|
||||
+ - item.1.stat is defined and item.1.stat.exists
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..1d1e675
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6) }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..3d0b9ae
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/oval/shared.xml
|
||||
@@ -0,0 +1,142 @@
|
||||
+<def-group>
|
||||
+ <!-- Updated references of the OVAL language used in this file can be found in this link:
|
||||
+ https://oval-community-guidelines.readthedocs.io/en/latest/oval-schema-documentation/oval-definitions-schema.html
|
||||
+ -->
|
||||
+
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("All interactive user's Home Directories must be owned by its user") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion test_ref="test_file_ownership_home_directories"
|
||||
+ comment="All interactive user's Home Directories must be owned by its user"/>
|
||||
+ <criterion test_ref="test_file_ownership_home_directories_duplicated"
|
||||
+ comment="Interactive users should own only one Home Directory"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <!--
|
||||
+ Extract a list composed of password objects filtered by UIDs starting in {{{ uid_min }}} and
|
||||
+ not equal to "nobody". Most of (if not all) distros have the special user "nobody" with uid
|
||||
+ 65354. Despite it be technically classified as an interactive user, it is a special case with
|
||||
+ very limited access. So, we ignore it. The resulted password object will be further used to
|
||||
+ create local variables composed by UIDs e Home Dirs.
|
||||
+ -->
|
||||
+ <unix:password_object id="object_file_ownership_home_directories_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_file_ownership_home_directories_interactive_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <!--
|
||||
+ In distros which uses PAM (almost all), by default, the uid of interactive users and groups
|
||||
+ starts at 1000. We use this information to make sure this password_state object will be
|
||||
+ composed only with objects related to interactive users.
|
||||
+ -->
|
||||
+ <unix:password_state id="state_file_ownership_home_directories_interactive_uids" version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <!--
|
||||
+ #### prepare for test_file_groupownership_home_directories ####
|
||||
+ From the list of interactive users objects we create a local variable composed of their home dirs.
|
||||
+ -->
|
||||
+ <local_variable id="var_file_ownership_home_directories_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir" object_ref="object_file_ownership_home_directories_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!--
|
||||
+ From the list of interactive users objects we create a local variable composed of their uids.
|
||||
+ -->
|
||||
+ <local_variable id="var_file_ownership_home_directories_uids" datatype="int" version="1"
|
||||
+ comment="List of interactive users uids">
|
||||
+ <object_component item_field="user_id" object_ref="object_file_ownership_home_directories_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!--
|
||||
+ #### creation of object ####
|
||||
+ We have the home dirs, but to test their ownership we need a "file_object" and not a password
|
||||
+ object, as the initial source of this information is. So, we create this file_object based on
|
||||
+ content from the previous local variable.
|
||||
+ -->
|
||||
+ <unix:file_object id="object_file_ownership_home_directories_dirs" version="1">
|
||||
+ <unix:path var_ref="var_file_ownership_home_directories_dirs" var_check="at least one"/>
|
||||
+ <unix:filename xsi:nil="true"/>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!--
|
||||
+ #### creation of state ####
|
||||
+ We have the relevant uids, but we need a "file_state" object to use in our intendend test.
|
||||
+ So, we create this file_state based on content from the previous local variable.
|
||||
+ -->
|
||||
+ <unix:file_state id="state_file_ownership_home_directories_uids" version="1">
|
||||
+ <unix:user_id datatype="int" var_check="only one" var_ref="var_file_ownership_home_directories_uids"/>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!--
|
||||
+ #### creation of test ####
|
||||
+ Perform the test to ensure that all home dirs are owned by an interactive user.
|
||||
+ This test will make sure that no foreign or system user is owner of an existing home dir.
|
||||
+ However, this can't ensure that one local interactive user is the owner of only one home dir.
|
||||
+ Currently this is an OVAL limitation which we try to mitigate with a second test below.
|
||||
+ -->
|
||||
+ <unix:file_test id="test_file_ownership_home_directories" check="all" check_existence="any_exist"
|
||||
+ version="1" comment="All home directories are owned by a local interactive user">
|
||||
+ <unix:object object_ref="object_file_ownership_home_directories_dirs"/>
|
||||
+ <unix:state state_ref="state_file_ownership_home_directories_uids"/>
|
||||
+ </unix:file_test>
|
||||
+
|
||||
+ <!--
|
||||
+ We create an extra test to make sure that the number of home dirs and their respective owners
|
||||
+ are the same. This is to catch situations where one local user owns more than one home dir.
|
||||
+ However, we still can have a situation where two local users cross the ownership of their
|
||||
+ respective home dirs. Although very atypical, we should be aware of this possible false
|
||||
+ positive and that it is not possible to be solved with the current OVAL capabilities.
|
||||
+ -->
|
||||
+ <!--
|
||||
+ This create an int variable composed by the count of file_object items.
|
||||
+ -->
|
||||
+ <local_variable id="var_file_ownership_home_directories_uids_count" datatype="int" version="1"
|
||||
+ comment="Count home dirs related to interactive users">
|
||||
+ <count>
|
||||
+ <object_component item_field="user_id" object_ref="object_file_ownership_home_directories_dirs"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!--
|
||||
+ This create an int variable composed by the count of unique user_ids collected from
|
||||
+ file_object items.
|
||||
+ -->
|
||||
+ <local_variable id="var_file_ownership_home_directories_uids_count_uniq" datatype="int" version="1"
|
||||
+ comment="Count current owners of relevant home dirs">
|
||||
+ <count>
|
||||
+ <unique>
|
||||
+ <object_component item_field="user_id" object_ref="object_file_ownership_home_directories_dirs"/>
|
||||
+ </unique>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!--
|
||||
+ #### creation of object ####
|
||||
+ Turn the OVAL variable representing count of home dirs into OVAL object.
|
||||
+ This way we can test it further.
|
||||
+ -->
|
||||
+ <ind:variable_object id="object_file_ownership_home_directories_uids_count" version="1">
|
||||
+ <ind:var_ref>var_file_ownership_home_directories_uids_count</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <!--
|
||||
+ #### creation of state ####
|
||||
+ this state checks that both counts (unique and non-unique) are the same
|
||||
+ -->
|
||||
+ <ind:variable_state id="state_file_ownership_home_directories_uids_count_uniq" version="1">
|
||||
+ <ind:value datatype="int" operation="equals" var_check="at least one"
|
||||
+ var_ref="var_file_ownership_home_directories_uids_count_uniq"/>
|
||||
+ </ind:variable_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <ind:variable_test id="test_file_ownership_home_directories_duplicated" check="all"
|
||||
+ check_existence="any_exist" version="1"
|
||||
+ comment="It should not exist duplicated owners of home dirs">
|
||||
+ <ind:object object_ref="object_file_ownership_home_directories_uids_count"/>
|
||||
+ <ind:state state_ref="state_file_ownership_home_directories_uids_count_uniq"/>
|
||||
+ </ind:variable_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
index 198a9be..042f484 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
|
||||
@@ -10,6 +10,10 @@ description: |-
|
||||
the following command:
|
||||
<pre>$ sudo chown <i>USER</i> /home/<i>USER</i></pre>
|
||||
|
||||
+ This rule ensures every home directory related to an interactive user is
|
||||
+ owned by an interactive user. It also ensures that interactive users are
|
||||
+ owners of one and only one home directory.
|
||||
+
|
||||
rationale: |-
|
||||
If a local interactive user does not own their home directory, unauthorized
|
||||
users could access or modify the user's files, and the users may not be able to
|
||||
@@ -31,3 +35,9 @@ ocil_clause: 'the user ownership is incorrect'
|
||||
ocil: |-
|
||||
To verify the home directory ownership, run the following command:
|
||||
<pre># ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ Due to OVAL limitation, this rule can report a false negative in a
|
||||
+ specific situation where two interactive users swap the ownership of
|
||||
+ their respective home directories.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..585f759
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/expected_owner.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chown $USER /home/$USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..7c181af
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dir_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..af24025
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_all_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..5bce517
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_one_absent.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -M $USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..e6aef9e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/home_dirs_with_same_owner.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+# Define the same owner for two home directories
|
||||
+chown $USER1 /home/$USER1
|
||||
+chown $USER1 /home/$USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..ed34f09
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..011b315
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_system_id.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chown 2 /home/$USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..733af78
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/unexpected_owner_unknown_id.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chown 10005 /home/$USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..df5655f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_crossed_owner.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+# Define the same owner for two home directories
|
||||
+chown $USER2 /home/$USER1
|
||||
+chown $USER1 /home/$USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..e9cfd5b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/tests/warning_home_dirs_swapped_owner.pass.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+# Swap the ownership of two home directories
|
||||
+# WARNING: This test scenario will report a false negative, as explained in the
|
||||
+# warning section of this rule.
|
||||
+chown $USER2 /home/$USER1
|
||||
+chown $USER1 /home/$USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000..945ed7e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/ansible/shared.yml
|
||||
@@ -0,0 +1,31 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Get all local users from /etc/passwd
|
||||
+ ansible.builtin.getent:
|
||||
+ database: passwd
|
||||
+ split: ':'
|
||||
+
|
||||
+- name: Create local_users variable from the getent output
|
||||
+ ansible.builtin.set_fact:
|
||||
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
+
|
||||
+- name: Test for existence home directories to avoid creating them, but only fixing group ownership
|
||||
+ ansible.builtin.stat:
|
||||
+ path: '{{ item.value[4] }}'
|
||||
+ register: path_exists
|
||||
+ loop: '{{ local_users }}'
|
||||
+ when:
|
||||
+ - item.value[2]|int >= {{{ uid_min }}}
|
||||
+ - item.value[2]|int != 65534
|
||||
+
|
||||
+- name: Ensure interactive local users are the group-owners of their respective home directories
|
||||
+ ansible.builtin.file:
|
||||
+ path: '{{ item.0.value[4] }}'
|
||||
+ mode: '0700'
|
||||
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
|
||||
+ when:
|
||||
+ - item.1.stat is defined and item.1.stat.exists
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..4ebc674
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) system("chmod -f 700 "$6) }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..0cb261e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/oval/shared.xml
|
||||
@@ -0,0 +1,51 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("All Interactive User Home Directories Must Have mode 0750 Or Less Permissive") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_file_permissions_home_directories"
|
||||
+ comment="All interactive user's Home Directories must have proper permissions"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <!-- For detailed comments about logic used in this OVAL, check the
|
||||
+ "file_ownership_home_directories" rule. -->
|
||||
+ <unix:password_object id="object_file_permissions_home_directories_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_file_permissions_home_directories_interactive_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_file_permissions_home_directories_interactive_uids" version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <!-- #### prepare for test_file_permissions_home_directories #### -->
|
||||
+ <local_variable id="var_file_permissions_home_directories_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir" object_ref="object_file_permissions_home_directories_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <unix:file_object id="object_file_permissions_home_directories_dirs" version="1">
|
||||
+ <unix:path var_ref="var_file_permissions_home_directories_dirs" var_check="at least one"/>
|
||||
+ <unix:filename xsi:nil="true"/>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:file_state id="state_file_permissions_home_directories_dirs" version="1" operator='AND'>
|
||||
+ <unix:type operation="equals">directory</unix:type>
|
||||
+ <unix:suid datatype="boolean">false</unix:suid>
|
||||
+ <unix:sgid datatype="boolean">false</unix:sgid>
|
||||
+ <unix:sticky datatype="boolean">false</unix:sticky>
|
||||
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
|
||||
+ <unix:oread datatype="boolean">false</unix:oread>
|
||||
+ <unix:owrite datatype="boolean">false</unix:owrite>
|
||||
+ <unix:oexec datatype="boolean">false</unix:oexec>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <unix:file_test id="test_file_permissions_home_directories" check="all" check_existence="any_exist"
|
||||
+ version="1" comment="All home directories have proper permissions">
|
||||
+ <unix:object object_ref="object_file_permissions_home_directories_dirs"/>
|
||||
+ <unix:state state_ref="state_file_permissions_home_directories_dirs"/>
|
||||
+ </unix:file_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..aaf939e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/acceptable_permission.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chmod 750 /home/$USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..5dfd426
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/expected_permissions.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chmod 700 /home/$USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..af24025
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/home_dirs_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..ed34f09
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..2f337d2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/tests/lenient_permission.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+chmod 755 /home/$USER
|
||||
diff --git a/ssg/constants.py b/ssg/constants.py
|
||||
index e2d3077..64e2712 100644
|
||||
--- a/ssg/constants.py
|
||||
+++ b/ssg/constants.py
|
||||
@@ -380,6 +380,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
|
||||
|
||||
|
||||
# Application constants
|
||||
+DEFAULT_GID_MIN = 1000
|
||||
DEFAULT_UID_MIN = 1000
|
||||
DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
|
||||
DEFAULT_DCONF_GDM_DIR = 'gdm.d'
|
||||
diff --git a/ssg/products.py b/ssg/products.py
|
||||
index 25178b7..e410e06 100644
|
||||
--- a/ssg/products.py
|
||||
+++ b/ssg/products.py
|
||||
@@ -7,6 +7,7 @@ from glob import glob
|
||||
|
||||
from .build_cpe import ProductCPEs
|
||||
from .constants import (product_directories,
|
||||
+ DEFAULT_GID_MIN,
|
||||
DEFAULT_UID_MIN,
|
||||
DEFAULT_GRUB2_BOOT_PATH,
|
||||
DEFAULT_DCONF_GDM_DIR,
|
||||
@@ -39,6 +40,9 @@ def _get_implied_properties(existing_properties):
|
||||
if pkg_manager in PKG_MANAGER_TO_CONFIG_FILE:
|
||||
result["pkg_manager_config_file"] = PKG_MANAGER_TO_CONFIG_FILE[pkg_manager]
|
||||
|
||||
+ if "gid_min" not in existing_properties:
|
||||
+ result["gid_min"] = DEFAULT_GID_MIN
|
||||
+
|
||||
if "uid_min" not in existing_properties:
|
||||
result["uid_min"] = DEFAULT_UID_MIN
|
||||
|
507
SOURCES/scap-security-guide-0.1.59-BZ1884687B-PR_7790.patch
Normal file
507
SOURCES/scap-security-guide-0.1.59-BZ1884687B-PR_7790.patch
Normal file
@ -0,0 +1,507 @@
|
||||
From 5ec53805a4aaf04752400eef826ff49222c0a3ba Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Wed, 20 Oct 2021 16:17:01 +0200
|
||||
Subject: [PATCH 1/3] OVAL, tests and remediation for the rule:
|
||||
|
||||
accounts_user_interactive_home_directory_defined
|
||||
---
|
||||
.../ansible/shared.yml | 24 +++++++++++++
|
||||
.../bash/shared.sh | 9 +++++
|
||||
.../oval/shared.xml | 36 +++++++++++++++++++
|
||||
.../tests/home_dir_all_empty.fail.sh | 6 ++++
|
||||
.../tests/home_dir_not_exclusive.fail.sh | 6 ++++
|
||||
.../tests/home_dir_one_empty.fail.sh | 8 +++++
|
||||
.../tests/home_dir_properly_defined.pass.sh | 4 +++
|
||||
.../tests/home_dir_root.fail.sh | 6 ++++
|
||||
.../tests/interactive_users_absent.pass.sh | 4 +++
|
||||
9 files changed, 103 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_all_empty.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_not_exclusive.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_one_empty.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_properly_defined.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_root.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/interactive_users_absent.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..fc9b780daa8
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
|
||||
@@ -0,0 +1,24 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Get all local users from /etc/passwd
|
||||
+ ansible.builtin.getent:
|
||||
+ database: passwd
|
||||
+ split: ':'
|
||||
+
|
||||
+- name: Create local_users variable from the getent output
|
||||
+ ansible.builtin.set_fact:
|
||||
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
+
|
||||
+- name: Ensure interactive users have a home directory defined
|
||||
+ ansible.builtin.user:
|
||||
+ name: '{{ item.key }}'
|
||||
+ home: '/home/{{ item.key }}'
|
||||
+ create_home: no
|
||||
+ loop: '{{ local_users }}'
|
||||
+ when:
|
||||
+ - item.value[2]|int >= {{{ uid_min }}}
|
||||
+ - item.value[2]|int != 65534
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..23b0a85aa6a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+for user in `awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1 }' /etc/passwd`; do
|
||||
+ sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
|
||||
+done
|
||||
\ No newline at end of file
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..5efb84ab2cf
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/oval/shared.xml
|
||||
@@ -0,0 +1,36 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("All Interactive Users Must Have A Home Directory Defined") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_accounts_user_interactive_home_directory_defined"
|
||||
+ comment="All Interactive Users Must Have A Home Directory Defined"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <!-- For detailed comments about logic used in this OVAL, check the
|
||||
+ "file_ownership_home_directories" rule.
|
||||
+ #### creation of object #### -->
|
||||
+ <unix:password_object id="object_accounts_user_interactive_home_directory_defined_objects"
|
||||
+ version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_user_interactive_home_directory_defined_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_user_interactive_home_directory_defined_uids"
|
||||
+ version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:password_state id="state_accounts_user_interactive_home_directory_defined" version="1">
|
||||
+ <unix:home_dir operation="pattern match">^\/\w*\/\w{1,}[\/\w]*$</unix:home_dir>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <unix:password_test id="test_accounts_user_interactive_home_directory_defined" check="all"
|
||||
+ check_existence="any_exist" version="1"
|
||||
+ comment="All Interactive Users Have A Home Directory Defined">
|
||||
+ <unix:object object_ref="object_accounts_user_interactive_home_directory_defined_objects"/>
|
||||
+ <unix:state state_ref="state_accounts_user_interactive_home_directory_defined"/>
|
||||
+ </unix:password_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_all_empty.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_all_empty.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..4bc9e10a21c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_all_empty.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+
|
||||
+sed -i "s/\(.*:x:[0-9]\{4,\}:[0-9]*:.*:\).*\(:.*\)$/\1\2/g" /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_not_exclusive.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_not_exclusive.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..5c905e03791
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_not_exclusive.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+
|
||||
+sed -i 's/\(.*:x:[0-9]\{4,\}:[0-9]*:.*:\).*\(:.*\)$/\1\/tmp\2/g' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_one_empty.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_one_empty.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..00d37799c77
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_one_empty.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+useradd -M $USER1
|
||||
+useradd -M $USER2
|
||||
+
|
||||
+sed -i "s/\($USER1:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\2/g" /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_properly_defined.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_properly_defined.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..7c181afdd4b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_properly_defined.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_root.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_root.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..16bb94477bc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_root.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+
|
||||
+sed -i "s/\($USER:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/\2/g" /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ed34f0940a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
|
||||
From 47cf69c176ce8e7ec1922bf8cdcd1d35b02552c9 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Tue, 26 Oct 2021 14:39:11 +0200
|
||||
Subject: [PATCH 2/3] OVAL, tests and remediation for the rule:
|
||||
|
||||
accounts_user_interactive_home_directory_exists
|
||||
---
|
||||
.../bash/shared.sh | 2 +-
|
||||
.../ansible/shared.yml | 24 +++++
|
||||
.../bash/shared.sh | 9 ++
|
||||
.../oval/shared.xml | 91 +++++++++++++++++++
|
||||
.../tests/home_dir_present.pass.sh | 10 ++
|
||||
.../tests/home_dirs_all_absent.fail.sh | 6 ++
|
||||
.../tests/home_dirs_one_absent.fail.sh | 7 ++
|
||||
.../tests/interactive_users_absent.pass.sh | 4 +
|
||||
8 files changed, 152 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dir_present.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_all_absent.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_one_absent.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/interactive_users_absent.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
index 23b0a85aa6a..94f8a579f1f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
@@ -6,4 +6,4 @@
|
||||
|
||||
for user in `awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1 }' /etc/passwd`; do
|
||||
sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
|
||||
-done
|
||||
\ No newline at end of file
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..e7acc477d25
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
|
||||
@@ -0,0 +1,24 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Get all local users from /etc/passwd
|
||||
+ ansible.builtin.getent:
|
||||
+ database: passwd
|
||||
+ split: ':'
|
||||
+
|
||||
+- name: Create local_users variable from the getent output
|
||||
+ ansible.builtin.set_fact:
|
||||
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
+
|
||||
+- name: Ensure interactive users have a home directory defined
|
||||
+ ansible.builtin.user:
|
||||
+ name: '{{ item.key }}'
|
||||
+ home: '/home/{{ item.key }}'
|
||||
+ create_home: yes
|
||||
+ loop: '{{ local_users }}'
|
||||
+ when:
|
||||
+ - item.value[2]|int >= {{{ uid_min }}}
|
||||
+ - item.value[2]|int != 65534
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..044b650f103
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/bash/shared.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+for user in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1}' /etc/passwd); do
|
||||
+ mkhomedir_helper $user 0077;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..0a5b313f5b4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/oval/shared.xml
|
||||
@@ -0,0 +1,91 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("All Interactive Users Home Directories Must Exist") }}}
|
||||
+ <criteria operator="OR">
|
||||
+ <criterion test_ref="test_accounts_user_interactive_home_directory_exists"
|
||||
+ comment="All Interactive Users Home Directories Must Exist"/>
|
||||
+ <criterion test_ref="test_accounts_user_interactive_home_directory_exists_users"
|
||||
+ comment="Interactive users don't exist on the system"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <!-- #### prepare a password object for the two tests in this rule #### -->
|
||||
+ <unix:password_object id="object_accounts_user_interactive_home_directory_exists_objects"
|
||||
+ version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_user_interactive_home_directory_exists_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_user_interactive_home_directory_exists_uids" version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <!-- #### create a local variable composed by the list of home dirs from /etc/passwd #### -->
|
||||
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_list"
|
||||
+ datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir"
|
||||
+ object_ref="object_accounts_user_interactive_home_directory_exists_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### create a local variable composed by the number of home dirs from /etc/passwd #### -->
|
||||
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_count"
|
||||
+ datatype="int" version="1"
|
||||
+ comment="Variable including expected count of home dirs present on the system">
|
||||
+ <count>
|
||||
+ <variable_component var_ref="var_accounts_user_interactive_home_directory_exists_dirs_list"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### create a file_object to check existence of home dirs on file system #### -->
|
||||
+ <unix:file_object id="object_accounts_user_interactive_home_directory_exists_dirs_fs"
|
||||
+ version="1">
|
||||
+ <unix:path var_ref="var_accounts_user_interactive_home_directory_exists_dirs_list"
|
||||
+ var_check="at least one"/>
|
||||
+ <unix:filename xsi:nil="true"/>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### create a local variable with the number of home dirs present on file system #### -->
|
||||
+ <local_variable id="var_accounts_user_interactive_home_directory_exists_dirs_count_fs"
|
||||
+ datatype="int" version="1"
|
||||
+ comment="Variable including number of home dirs present on file system">
|
||||
+ <count>
|
||||
+ <object_component item_field="path"
|
||||
+ object_ref="object_accounts_user_interactive_home_directory_exists_dirs_fs"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### create a variable object with count of home dirs from file system #### -->
|
||||
+ <ind:variable_object id="object_accounts_user_interactive_home_directory_exists_dirs_count_fs"
|
||||
+ version="1">
|
||||
+ <ind:var_ref>var_accounts_user_interactive_home_directory_exists_dirs_count_fs</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <!-- #### create a variable state with count of home dirs from /etc/passwd #### -->
|
||||
+ <ind:variable_state id="state_accounts_user_interactive_home_directory_exists_dirs_count_pw"
|
||||
+ version="1">
|
||||
+ <ind:value datatype="int" operation="equals" var_check="at least one"
|
||||
+ var_ref="var_accounts_user_interactive_home_directory_exists_dirs_count"/>
|
||||
+ </ind:variable_state>
|
||||
+
|
||||
+ <!-- #### test_accounts_user_interactive_home_directory_exists #### -->
|
||||
+ <ind:variable_test id="test_accounts_user_interactive_home_directory_exists" check="all"
|
||||
+ check_existence="at_least_one_exists" version="1"
|
||||
+ comment="Check the existence of interactive users.">
|
||||
+ <ind:object object_ref="object_accounts_user_interactive_home_directory_exists_dirs_count_fs"/>
|
||||
+ <ind:state state_ref="state_accounts_user_interactive_home_directory_exists_dirs_count_pw"/>
|
||||
+ </ind:variable_test>
|
||||
+
|
||||
+ <!-- #### create of variable object with count of home dirs from /etc/passwd #### -->
|
||||
+ <ind:variable_object id="object_accounts_user_interactive_home_directory_exists_dirs_count_pw"
|
||||
+ version="1">
|
||||
+ <ind:var_ref>var_accounts_user_interactive_home_directory_exists_dirs_count</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <!-- #### test_accounts_user_interactive_home_directory_exists_users #### -->
|
||||
+ <ind:variable_test id="test_accounts_user_interactive_home_directory_exists_users" check="all"
|
||||
+ check_existence="none_exist" version="1"
|
||||
+ comment="Check the existence of interactive users.">
|
||||
+ <ind:object object_ref="object_accounts_user_interactive_home_directory_exists_dirs_count_pw"/>
|
||||
+ </ind:variable_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dir_present.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dir_present.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..d5434cbe4f5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dir_present.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+
|
||||
+# This is to make sure that any possible user create in the test environment has also
|
||||
+# a home dir created on the system.
|
||||
+for user in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1}' /etc/passwd); do
|
||||
+ mkhomedir_helper $user 0077;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_all_absent.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_all_absent.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..af240252de3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_all_absent.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_one_absent.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_one_absent.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..5bce517215c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/home_dirs_one_absent.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -M $USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ed34f0940a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
|
||||
From 0d6a5e588d71e927291641cbf2a23259995f0b2d Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Mon, 8 Nov 2021 15:09:12 +0100
|
||||
Subject: [PATCH 3/3] Improved the remediation and rule description
|
||||
|
||||
Included conditional on remediation to make sure that
|
||||
already compliant home directories are skipped.
|
||||
---
|
||||
.../ansible/shared.yml | 3 ++-
|
||||
.../bash/shared.sh | 7 +++++--
|
||||
.../rule.yml | 5 +++++
|
||||
.../tests/home_dir_defined_out_home.pass.sh | 4 ++++
|
||||
.../ansible/shared.yml | 3 +--
|
||||
5 files changed, 17 insertions(+), 5 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_defined_out_home.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
|
||||
index fc9b780daa8..13fbdd1ca44 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/ansible/shared.yml
|
||||
@@ -13,7 +13,7 @@
|
||||
ansible.builtin.set_fact:
|
||||
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
|
||||
-- name: Ensure interactive users have a home directory defined
|
||||
+- name: Ensure interactive users have an exclusive home directory defined
|
||||
ansible.builtin.user:
|
||||
name: '{{ item.key }}'
|
||||
home: '/home/{{ item.key }}'
|
||||
@@ -22,3 +22,4 @@
|
||||
when:
|
||||
- item.value[2]|int >= {{{ uid_min }}}
|
||||
- item.value[2]|int != 65534
|
||||
+ - not item.value[4] | regex_search('^\/\w*\/\w{1,}')
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
index 94f8a579f1f..7fac61d4892 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/bash/shared.sh
|
||||
@@ -4,6 +4,9 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
-for user in `awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1 }' /etc/passwd`; do
|
||||
- sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
|
||||
+for user in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $1 }' /etc/passwd); do
|
||||
+ # This follows the same logic of evaluation of home directories as used in OVAL.
|
||||
+ if ! grep -q $user /etc/passwd | cut -d: -f6 | grep '^\/\w*\/\w\{1,\}'; then
|
||||
+ sed -i "s/\($user:x:[0-9]*:[0-9]*:.*:\).*\(:.*\)$/\1\/home\/$user\2/g" /etc/passwd;
|
||||
+ fi
|
||||
done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
|
||||
index 20d26032338..b58164c5403 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
|
||||
@@ -8,6 +8,11 @@ description: |-
|
||||
Assign home directories to all interactive users that currently do not
|
||||
have a home directory assigned.
|
||||
|
||||
+ This rule checks if the home directory is properly defined in a folder which has
|
||||
+ at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
|
||||
+ Therefore, this rule will report a finding for home directories like <tt>/users</tt>,
|
||||
+ <tt>/tmp</tt> or <tt>/</tt>.
|
||||
+
|
||||
rationale: |-
|
||||
If local interactive users are not assigned a valid home directory, there is no
|
||||
place for the storage and control of files they should own.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_defined_out_home.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_defined_out_home.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..c7100f304ca
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/tests/home_dir_defined_out_home.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M -d /data/$USER $USER
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
|
||||
index e7acc477d25..84382a7f488 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/ansible/shared.yml
|
||||
@@ -13,10 +13,9 @@
|
||||
ansible.builtin.set_fact:
|
||||
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
|
||||
-- name: Ensure interactive users have a home directory defined
|
||||
+- name: Ensure interactive users have a home directory exists
|
||||
ansible.builtin.user:
|
||||
name: '{{ item.key }}'
|
||||
- home: '/home/{{ item.key }}'
|
||||
create_home: yes
|
||||
loop: '{{ local_users }}'
|
||||
when:
|
662
SOURCES/scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch
Normal file
662
SOURCES/scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch
Normal file
@ -0,0 +1,662 @@
|
||||
commit dc273bb872cc53f2d52af4396f4d3bba0acc178f
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu Feb 24 17:30:42 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000..ff41e19
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/ansible/shared.yml
|
||||
@@ -0,0 +1,32 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Get all local users from /etc/passwd
|
||||
+ ansible.builtin.getent:
|
||||
+ database: passwd
|
||||
+ split: ':'
|
||||
+
|
||||
+- name: Create local_users variable from the getent output
|
||||
+ ansible.builtin.set_fact:
|
||||
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
+
|
||||
+- name: Test for existence home directories to avoid creating them, but only fixing ownership
|
||||
+ ansible.builtin.stat:
|
||||
+ path: '{{ item.value[4] }}'
|
||||
+ register: path_exists
|
||||
+ loop: '{{ local_users }}'
|
||||
+ when:
|
||||
+ - item.value[2]|int >= {{{ gid_min }}}
|
||||
+ - item.value[2]|int != 65534
|
||||
+
|
||||
+- name: Ensure interactive local users are the owners of their respective home directories
|
||||
+ ansible.builtin.file:
|
||||
+ path: '{{ item.0.value[4] }}'
|
||||
+ group: '{{ item.0.value[2] }}'
|
||||
+ recurse: yes
|
||||
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
|
||||
+ when:
|
||||
+ - item.1.stat is defined and item.1.stat.exists
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..e392d2f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+for user in $(awk -F':' '{ if ($4 >= {{{ gid_min }}} && $4 != 65534) print $1 }' /etc/passwd); do
|
||||
+ home_dir=$(getent passwd $user | cut -d: -f6)
|
||||
+ group=$(getent passwd $user | cut -d: -f4)
|
||||
+ # Only update the group-ownership when necessary. This will avoid changing the inode timestamp
|
||||
+ # when the group is already defined as expected, therefore not impacting in possible integrity
|
||||
+ # check systems that also check inodes timestamps.
|
||||
+ find $home_dir -not -group $group -exec chgrp -f $group {} \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..1fd016a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/oval/shared.xml
|
||||
@@ -0,0 +1,52 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_accounts_users_home_files_groupownership"
|
||||
+ comment="All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <unix:password_object id="object_accounts_users_home_files_groupownership_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_users_home_files_groupownership_interactive_gids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_users_home_files_groupownership_interactive_gids" version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <local_variable id="var_accounts_users_home_files_groupownership_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir"
|
||||
+ object_ref="object_accounts_users_home_files_groupownership_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <local_variable id="var_accounts_users_home_files_groupownership_gids" datatype="int" version="1"
|
||||
+ comment="List of interactive users gids">
|
||||
+ <object_component item_field="group_id"
|
||||
+ object_ref="object_accounts_users_home_files_groupownership_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <unix:file_object id="object_accounts_users_home_files_groupownership_dirs" version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path var_ref="var_accounts_users_home_files_groupownership_dirs" var_check="at least one"/>
|
||||
+ <unix:filename operation="pattern match">.*</unix:filename>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:file_state id="state_accounts_users_home_files_groupownership_gids" version="1">
|
||||
+ <unix:group_id datatype="int" var_check="only one"
|
||||
+ var_ref="var_accounts_users_home_files_groupownership_gids"/>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <unix:file_test id="test_accounts_users_home_files_groupownership" check="all"
|
||||
+ check_existence="any_exist" version="1"
|
||||
+ comment="All home directories files are group-owned by a local interactive user">
|
||||
+ <unix:object object_ref="object_accounts_users_home_files_groupownership_dirs"/>
|
||||
+ <unix:state state_ref="state_accounts_users_home_files_groupownership_gids"/>
|
||||
+ </unix:file_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
|
||||
index 1c0f93a..31a0f1d 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml
|
||||
@@ -10,6 +10,9 @@ description: |-
|
||||
local interactive users files and directories, use the following command:
|
||||
<pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/<i>FILE_DIR</i></pre>
|
||||
|
||||
+ This rule ensures every file or directory under the home directory related
|
||||
+ to an interactive user is group-owned by an interactive user.
|
||||
+
|
||||
rationale: |-
|
||||
If a local interactive users files are group-owned by a group of which the
|
||||
user is not a member, unintended users may be able to access them.
|
||||
@@ -33,3 +36,9 @@ ocil: |-
|
||||
group-owned by a group the user is a member of, run the
|
||||
following command:
|
||||
<pre>$ sudo ls -lLR /home/<i>USER</i></pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ Due to OVAL limitation, this rule can report a false negative in a
|
||||
+ specific situation where two interactive users swap the group-ownership
|
||||
+ of folders or files in their respective home directories.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..8538430
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/expected_groupowner.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chgrp -f $USER /home/$USER/$USER.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..af24025
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_all_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..5bce517
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/home_dirs_one_absent.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -M $USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..ed34f09
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..f105723
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_system_gid.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chgrp 2 /home/$USER/$USER.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..00fa481
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/unexpected_groupowner_unknown_gid.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chgrp 10005 /home/$USER/$USER.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..052aa7c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/tests/warning_home_dirs_swapped_groupowner.pass.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+echo "$USER1" > /home/$USER1/$USER1.txt
|
||||
+echo "$USER2" > /home/$USER2/$USER2.txt
|
||||
+# Swap the ownership of files in two home directories
|
||||
+# WARNING: This test scenario will report a false negative, as explained in the
|
||||
+# warning section of this rule.
|
||||
+chgrp -f $USER2 /home/$USER1/$USER1.txt
|
||||
+chgrp -f $USER1 /home/$USER2/$USER2.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000..40a0579
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/ansible/shared.yml
|
||||
@@ -0,0 +1,32 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Get all local users from /etc/passwd
|
||||
+ ansible.builtin.getent:
|
||||
+ database: passwd
|
||||
+ split: ':'
|
||||
+
|
||||
+- name: Create local_users variable from the getent output
|
||||
+ ansible.builtin.set_fact:
|
||||
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
+
|
||||
+- name: Test for existence home directories to avoid creating them, but only fixing ownership
|
||||
+ ansible.builtin.stat:
|
||||
+ path: '{{ item.value[4] }}'
|
||||
+ register: path_exists
|
||||
+ loop: '{{ local_users }}'
|
||||
+ when:
|
||||
+ - item.value[1]|int >= {{{ uid_min }}}
|
||||
+ - item.value[1]|int != 65534
|
||||
+
|
||||
+- name: Ensure interactive local users are the owners of their respective home directories
|
||||
+ ansible.builtin.file:
|
||||
+ path: '{{ item.0.value[4] }}'
|
||||
+ owner: '{{ item.0.value[1] }}'
|
||||
+ recurse: yes
|
||||
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
|
||||
+ when:
|
||||
+ - item.1.stat is defined and item.1.stat.exists
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..236c800
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $1 }' /etc/passwd); do
|
||||
+ home_dir=$(getent passwd $user | cut -d: -f6)
|
||||
+ # Only update the ownership when necessary. This will avoid changing the inode timestamp
|
||||
+ # when the owner is already defined as expected, therefore not impacting in possible integrity
|
||||
+ # check systems that also check inodes timestamps.
|
||||
+ find $home_dir -not -user $user -exec chown -f $user {} \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..1850cfb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/oval/shared.xml
|
||||
@@ -0,0 +1,52 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have a Valid Owner") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_accounts_users_home_files_ownership"
|
||||
+ comment="All User Files and Directories In The Home Directory Must Have a Valid Owner"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <unix:password_object id="object_accounts_users_home_files_ownership_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_users_home_files_ownership_interactive_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_users_home_files_ownership_interactive_uids" version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <local_variable id="var_accounts_users_home_files_ownership_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir"
|
||||
+ object_ref="object_accounts_users_home_files_ownership_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <local_variable id="var_accounts_users_home_files_ownership_uids" datatype="int" version="1"
|
||||
+ comment="List of interactive users uids">
|
||||
+ <object_component item_field="user_id"
|
||||
+ object_ref="object_accounts_users_home_files_ownership_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <unix:file_object id="object_accounts_users_home_files_ownership_dirs" version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path var_ref="var_accounts_users_home_files_ownership_dirs" var_check="at least one"/>
|
||||
+ <unix:filename operation="pattern match">.*</unix:filename>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:file_state id="state_accounts_users_home_files_ownership_uids" version="1">
|
||||
+ <unix:user_id datatype="int" var_check="only one"
|
||||
+ var_ref="var_accounts_users_home_files_ownership_uids"/>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <unix:file_test id="test_accounts_users_home_files_ownership" check="all"
|
||||
+ check_existence="any_exist" version="1"
|
||||
+ comment="All home directories files are owned by a local interactive user">
|
||||
+ <unix:object object_ref="object_accounts_users_home_files_ownership_dirs"/>
|
||||
+ <unix:state state_ref="state_accounts_users_home_files_ownership_uids"/>
|
||||
+ </unix:file_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
|
||||
index 13f6bfe..5bfb388 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml
|
||||
@@ -10,6 +10,9 @@ description: |-
|
||||
directories, use the following command:
|
||||
<pre>$ sudo chown -R <i>USER</i> /home/<i>USER</i></pre>
|
||||
|
||||
+ This rule ensures every file or directory under the home directory related
|
||||
+ to an interactive user is owned by an interactive user.
|
||||
+
|
||||
rationale: |-
|
||||
If local interactive users do not own the files in their directories,
|
||||
unauthorized users may be able to access them. Additionally, if files are not
|
||||
@@ -34,3 +37,9 @@ ocil: |-
|
||||
To verify all files and directories in interactive users home directory
|
||||
are owned by the user, run the following command:
|
||||
<pre>$ sudo ls -lLR /home/<i>USER</i></pre>
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ Due to OVAL limitation, this rule can report a false negative in a
|
||||
+ specific situation where two interactive users swap the ownership of
|
||||
+ folders or files in their respective home directories.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..da68cb4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/expected_owner.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chown $USER /home/$USER/$USER.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..af24025
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_all_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..5bce517
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/home_dirs_one_absent.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -M $USER2
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..ed34f09
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..59c46a9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_system_id.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chown 2 /home/$USER/$USER.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..e0f5514
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/unexpected_owner_unknown_id.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chown 10005 /home/$USER/$USER.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..1174ec6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/tests/warning_home_dirs_swapped_owner.pass.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+echo "$USER1" > /home/$USER1/$USER1.txt
|
||||
+echo "$USER2" > /home/$USER2/$USER2.txt
|
||||
+# Swap the ownership of files in two home directories
|
||||
+# WARNING: This test scenario will report a false negative, as explained in the
|
||||
+# warning section of this rule.
|
||||
+chown -f $USER2 /home/$USER1/$USER1.txt
|
||||
+chown -f $USER1 /home/$USER2/$USER2.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000..9473710
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/ansible/shared.yml
|
||||
@@ -0,0 +1,33 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Get all local users from /etc/passwd
|
||||
+ ansible.builtin.getent:
|
||||
+ database: passwd
|
||||
+ split: ':'
|
||||
+
|
||||
+- name: Create local_users variable from the getent output
|
||||
+ ansible.builtin.set_fact:
|
||||
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
|
||||
+
|
||||
+- name: Test for existence home directories to avoid creating them, but only fixing group ownership
|
||||
+ ansible.builtin.stat:
|
||||
+ path: '{{ item.value[4] }}'
|
||||
+ register: path_exists
|
||||
+ loop: '{{ local_users }}'
|
||||
+ when:
|
||||
+ - item.value[2]|int >= {{{ uid_min }}}
|
||||
+ - item.value[2]|int != 65534
|
||||
+
|
||||
+- name: Ensure interactive local users are the group-owners of their respective home directories
|
||||
+ ansible.builtin.file:
|
||||
+ path: '{{ item.0.value[4] }}'
|
||||
+ mode: 'g-w,o=-'
|
||||
+ follow: no
|
||||
+ recurse: yes
|
||||
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
|
||||
+ when:
|
||||
+ - item.1.stat is defined and item.1.stat.exists
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..186d55d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/bash/shared.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+for home_dir in $(awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) print $6 }' /etc/passwd); do
|
||||
+ # Only update the permissions when necessary. This will avoid changing the inode timestamp when
|
||||
+ # the permission is already defined as expected, therefore not impacting in possible integrity
|
||||
+ # check systems that also check inodes timestamps.
|
||||
+ find $home_dir -perm /027 -exec chmod g-w,o=- {} \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..d3db46d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
|
||||
@@ -0,0 +1,52 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_accounts_users_home_files_permissions"
|
||||
+ comment="All files under interactive user's Home Directories must have proper permissions"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <!-- For detailed comments about logic used in this OVAL, check the
|
||||
+ "file_ownership_home_directories" rule. -->
|
||||
+ <unix:password_object id="object_accounts_users_home_files_permissions_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_users_home_files_permissions_interactive_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_users_home_files_permissions_interactive_uids" version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <!-- #### prepare for test_file_permissions_home_directories #### -->
|
||||
+ <local_variable id="var_accounts_users_home_files_permissions_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir" object_ref="object_accounts_users_home_files_permissions_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <unix:file_object id="object_accounts_users_home_files_permissions_dirs" version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path var_ref="var_accounts_users_home_files_permissions_dirs" var_check="at least one"/>
|
||||
+ <unix:filename operation="pattern match">.*</unix:filename>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:file_state id="state_accounts_users_home_files_permissions_dirs" version="1" operator='AND'>
|
||||
+ <unix:suid datatype="boolean">false</unix:suid>
|
||||
+ <unix:sgid datatype="boolean">false</unix:sgid>
|
||||
+ <unix:sticky datatype="boolean">false</unix:sticky>
|
||||
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
|
||||
+ <unix:oread datatype="boolean">false</unix:oread>
|
||||
+ <unix:owrite datatype="boolean">false</unix:owrite>
|
||||
+ <unix:oexec datatype="boolean">false</unix:oexec>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <unix:file_test id="test_accounts_users_home_files_permissions" check="all" check_existence="any_exist"
|
||||
+ version="1" comment="All home directories have proper permissions">
|
||||
+ <unix:object object_ref="object_accounts_users_home_files_permissions_dirs"/>
|
||||
+ <unix:state state_ref="state_accounts_users_home_files_permissions_dirs"/>
|
||||
+ </unix:file_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..3561847
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/acceptable_permission.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chmod -Rf 750 /home/$USER/.*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..8ed7fa2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/expected_permissions.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chmod -Rf 700 /home/$USER/.*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..af24025
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/home_dirs_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..ed34f09
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..b561671
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chmod -Rf 700 /home/$USER/.*
|
||||
+chmod -f o+r /home/$USER/$USER.txt
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..d7811bc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/tests/lenient_permission_hidden_files.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/.init_file
|
||||
+chmod -Rf 700 /home/$USER/.*
|
||||
+chmod -f o+r /home/$USER/.init_file
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh
|
||||
similarity index 100%
|
||||
rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_id.fail.sh
|
||||
rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_system_uid.fail.sh
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh
|
||||
similarity index 100%
|
||||
rename from linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_id.fail.sh
|
||||
rename to linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/tests/unexpected_groupowner_unknown_uid.fail.sh
|
851
SOURCES/scap-security-guide-0.1.59-BZ1884687D-PR_7837.patch
Normal file
851
SOURCES/scap-security-guide-0.1.59-BZ1884687D-PR_7837.patch
Normal file
@ -0,0 +1,851 @@
|
||||
From 55ec5c49441f6b99914eef15c6cc559910311934 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Fri, 5 Nov 2021 14:02:09 +0100
|
||||
Subject: [PATCH 1/4] OVAL, tests and remediation for rule:
|
||||
|
||||
accounts_user_dot_user_ownership
|
||||
---
|
||||
.../ansible/shared.yml | 10 ++++
|
||||
.../bash/shared.sh | 7 +++
|
||||
.../oval/shared.xml | 52 +++++++++++++++++++
|
||||
.../accounts_user_dot_user_ownership/rule.yml | 9 ++++
|
||||
.../tests/expected_owner.pass.sh | 6 +++
|
||||
.../tests/home_dirs_all_absent.pass.sh | 6 +++
|
||||
.../home_dirs_one_absent_owner_ok.pass.sh | 10 ++++
|
||||
.../tests/interactive_users_absent.pass.sh | 4 ++
|
||||
.../tests/no_dot_file_ignored.pass.sh | 6 +++
|
||||
.../tests/unexpected_owner_system_uid.fail.sh | 6 +++
|
||||
.../unexpected_owner_unknown_uid.fail.sh | 6 +++
|
||||
.../tests/warning_swapped_owners.pass.sh | 15 ++++++
|
||||
12 files changed, 137 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..3801e0cfdec
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/ansible/shared.yml
|
||||
@@ -0,0 +1,10 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Ensure interactive local users are the owners of their respective initialization files
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: |
|
||||
+ awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..f362a2656aa
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..fb12ce73b23
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/oval/shared.xml
|
||||
@@ -0,0 +1,52 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("User Initialization Files Must Be Owned By the Primary User") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_accounts_user_dot_user_ownership"
|
||||
+ comment="User Initialization Files Must Be Owned By the Primary User"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <unix:password_object id="object_accounts_user_dot_user_ownership_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_user_dot_user_ownership_interactive_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_user_dot_user_ownership_interactive_uids" version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <local_variable id="var_accounts_user_dot_user_ownership_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir"
|
||||
+ object_ref="object_accounts_user_dot_user_ownership_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <local_variable id="var_accounts_user_dot_user_ownership_uids" datatype="int" version="1"
|
||||
+ comment="List of interactive users uids">
|
||||
+ <object_component item_field="user_id"
|
||||
+ object_ref="object_accounts_user_dot_user_ownership_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <unix:file_object id="object_accounts_user_dot_user_ownership_init_files" version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path var_ref="var_accounts_user_dot_user_ownership_dirs" var_check="at least one"/>
|
||||
+ <unix:filename operation="pattern match">^\..*</unix:filename>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:file_state id="state_accounts_user_dot_user_ownership_uids" version="1">
|
||||
+ <unix:user_id datatype="int" var_check="only one"
|
||||
+ var_ref="var_accounts_user_dot_user_ownership_uids"/>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <unix:file_test id="test_accounts_user_dot_user_ownership" check="all"
|
||||
+ check_existence="any_exist" version="1"
|
||||
+ comment="All user initialization files are owned by a local interactive user">
|
||||
+ <unix:object object_ref="object_accounts_user_dot_user_ownership_init_files"/>
|
||||
+ <unix:state state_ref="state_accounts_user_dot_user_ownership_uids"/>
|
||||
+ </unix:file_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
|
||||
index 37efb159c08..ec75aa01f12 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml
|
||||
@@ -9,6 +9,9 @@ description: |-
|
||||
the primary owner with the following command:
|
||||
<pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre>
|
||||
|
||||
+ This rule ensures every initialization file related to an interactive user
|
||||
+ is owned by an interactive user.
|
||||
+
|
||||
rationale: |-
|
||||
Local initialization files are used to configure the user's shell environment
|
||||
upon logon. Malicious modification of these files could compromise accounts upon
|
||||
@@ -33,3 +36,9 @@ ocil: |-
|
||||
primary user, run the following command:
|
||||
<pre>$ sudo ls -al /home/<i>USER</i>/.*</pre>
|
||||
The user initialization files should be owned by <i>USER</i>.
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ Due to OVAL limitation, this rule can report a false negative in a
|
||||
+ specific situation where two interactive users swap the ownership of
|
||||
+ their respective initialization files.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..3d30238225e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/expected_owner.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/.bashrc
|
||||
+chown $USER /home/$USER/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..af240252de3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_all_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..840477d2c83
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/home_dirs_one_absent_owner_ok.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -M $USER2
|
||||
+
|
||||
+touch /home/$USER1/.bashrc
|
||||
+chown $USER1 /home/$USER1/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ed34f0940a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..9292a46b3b2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/no_dot_file_ignored.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/nodotfile
|
||||
+chown 2 /home/$USER/nodotfile
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..0373eb6a5f6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_system_uid.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/.bashrc
|
||||
+chown 2 /home/$USER/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..da7f50ce905
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/unexpected_owner_unknown_uid.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/.bashrc
|
||||
+chown 10005 /home/$USER/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b4a95ae2242
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/tests/warning_swapped_owners.pass.sh
|
||||
@@ -0,0 +1,15 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+touch /home/$USER1/.bashrc
|
||||
+touch /home/$USER2/.bashrc
|
||||
+
|
||||
+# Swap the ownership of files in two home directories
|
||||
+# WARNING: This test scenario will report a false negative, as explained in the
|
||||
+# warning section of this rule.
|
||||
+chown -f $USER2 /home/$USER1/.bashrc
|
||||
+chown -f $USER1 /home/$USER2/.bashrc
|
||||
|
||||
From cc6318c8afc898190a090058fbdfbdfc741d4d85 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Fri, 5 Nov 2021 14:05:19 +0100
|
||||
Subject: [PATCH 2/4] OVAL, tests and remediation for rule:
|
||||
|
||||
accounts_user_dot_group_ownership
|
||||
---
|
||||
.../ansible/shared.yml | 10 ++++
|
||||
.../bash/shared.sh | 7 +++
|
||||
.../oval/shared.xml | 52 +++++++++++++++++++
|
||||
.../rule.yml | 9 ++++
|
||||
.../tests/expected_groupowner.pass.sh | 6 +++
|
||||
.../tests/home_dirs_all_absent.pass.sh | 6 +++
|
||||
.../home_dirs_one_absent_group_ok.pass.sh | 10 ++++
|
||||
.../tests/interactive_users_absent.pass.sh | 4 ++
|
||||
.../tests/no_dot_file_ignored.pass.sh | 6 +++
|
||||
.../unexpected_groupowner_system_gid.fail.sh | 6 +++
|
||||
.../unexpected_groupowner_unknown_gid.fail.sh | 6 +++
|
||||
.../tests/warning_swapped_groupowners.pass.sh | 15 ++++++
|
||||
12 files changed, 137 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..1a9fa192359
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/ansible/shared.yml
|
||||
@@ -0,0 +1,10 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Ensure interactive local users are the group-owners of their respective initialization files
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: |
|
||||
+ awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..2b0fe395e29
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) system("chgrp -f " $3" "$6"/.[^\.]?*") }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..7ee39a3e794
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/oval/shared.xml
|
||||
@@ -0,0 +1,52 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("User Initialization Files Must Be Group-Owned By The Primary User") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_accounts_user_dot_group_ownership"
|
||||
+ comment="User Initialization Files Must Be Group-Owned By The Primary User"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <unix:password_object id="object_accounts_user_dot_group_ownership_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_user_dot_group_ownership_interactive_gids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_user_dot_group_ownership_interactive_gids" version="1">
|
||||
+ <unix:group_id datatype="int" operation="greater than or equal">{{{ gid_min }}}</unix:group_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <local_variable id="var_accounts_user_dot_group_ownership_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir"
|
||||
+ object_ref="object_accounts_user_dot_group_ownership_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <local_variable id="var_accounts_user_dot_group_ownership_gids" datatype="int" version="1"
|
||||
+ comment="List of interactive users gids">
|
||||
+ <object_component item_field="group_id"
|
||||
+ object_ref="object_accounts_user_dot_group_ownership_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <unix:file_object id="object_accounts_user_dot_group_ownership_init_files" version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path var_ref="var_accounts_user_dot_group_ownership_dirs" var_check="at least one"/>
|
||||
+ <unix:filename operation="pattern match">^\..*</unix:filename>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:file_state id="state_accounts_user_dot_group_ownership_gids" version="1">
|
||||
+ <unix:group_id datatype="int" var_check="only one"
|
||||
+ var_ref="var_accounts_user_dot_group_ownership_gids"/>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <unix:file_test id="test_accounts_user_dot_group_ownership" check="all"
|
||||
+ check_existence="any_exist" version="1"
|
||||
+ comment="All user initialization files are group-owned by a local interactive user">
|
||||
+ <unix:object object_ref="object_accounts_user_dot_group_ownership_init_files"/>
|
||||
+ <unix:state state_ref="state_accounts_user_dot_group_ownership_gids"/>
|
||||
+ </unix:file_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
|
||||
index a9cf96afc8c..d7d75a6600f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml
|
||||
@@ -10,6 +10,9 @@ description: |-
|
||||
interactive user home directory, use the following command:
|
||||
<pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/.<i>INIT_FILE</i></pre>
|
||||
|
||||
+ This rule ensures every initialization file related to an interactive user
|
||||
+ is group-owned by an interactive user.
|
||||
+
|
||||
rationale: |-
|
||||
Local initialization files for interactive users are used to configure the
|
||||
user's shell environment upon logon. Malicious modification of these files could
|
||||
@@ -35,3 +38,9 @@ ocil: |-
|
||||
users in <tt>/etc/passwd</tt> and verify all initialization files under the
|
||||
respective users home directory. Check the group owner of all local interactive users
|
||||
initialization files.
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ Due to OVAL limitation, this rule can report a false negative in a
|
||||
+ specific situation where two interactive users swap the group-ownership
|
||||
+ of their respective initialization files.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..0b89e741fbf
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/expected_groupowner.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/.bashrc
|
||||
+chgrp $USER /home/$USER/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..af240252de3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_all_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..90e1787dccc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/home_dirs_one_absent_group_ok.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -M $USER2
|
||||
+
|
||||
+touch /home/$USER1/.bashrc
|
||||
+chgrp $USER1 /home/$USER1/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ed34f0940a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..5b9e17c5384
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/no_dot_file_ignored.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/nodotfile
|
||||
+chgrp 2 /home/$USER/nodotfile
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b21e7229ed2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_system_gid.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/.bashrc
|
||||
+chgrp 2 /home/$USER/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..7c1bcac44d6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/unexpected_groupowner_unknown_gid.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/.bashrc
|
||||
+chgrp 10005 /home/$USER/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..d58a9dd63bf
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/tests/warning_swapped_groupowners.pass.sh
|
||||
@@ -0,0 +1,15 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -m $USER2
|
||||
+touch /home/$USER1/.bashrc
|
||||
+touch /home/$USER2/.bashrc
|
||||
+
|
||||
+# Swap the ownership of files in two home directories
|
||||
+# WARNING: This test scenario will report a false negative, as explained in the
|
||||
+# warning section of this rule.
|
||||
+chgrp -f $USER2 /home/$USER1/.bashrc
|
||||
+chgrp -f $USER1 /home/$USER2/.bashrc
|
||||
|
||||
From 2e28bd10bfec8466362e74b7c5d95481e95d0ae9 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Fri, 5 Nov 2021 14:06:56 +0100
|
||||
Subject: [PATCH 3/4] OVAL, tests and remediation for rule:
|
||||
|
||||
accounts_user_dot_no_world_writable_programs
|
||||
---
|
||||
.../ansible/shared.yml | 10 ++++
|
||||
.../bash/shared.sh | 7 +++
|
||||
.../oval/shared.xml | 52 +++++++++++++++++++
|
||||
.../tests/expected_permissions.pass.sh | 6 +++
|
||||
.../tests/home_dirs_absent.pass.sh | 6 +++
|
||||
.../tests/interactive_users_absent.pass.sh | 4 ++
|
||||
.../tests/lenient_permission.fail.sh | 6 +++
|
||||
.../tests/more_restrictive_permission.pass.sh | 6 +++
|
||||
.../tests/no_dot_file_ignored.pass.sh | 6 +++
|
||||
9 files changed, 103 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..210d12a53fe
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/ansible/shared.yml
|
||||
@@ -0,0 +1,10 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Ensure interactive local users are the group-owners of their respective initialization files
|
||||
+ ansible.builtin.command:
|
||||
+ cmd: |
|
||||
+ awk -F':' '{ if ($3 >= {{{ gid_min }}} && $3 != 65534) system("chmod -f g-w,o-w "$6"/.[^\.]?*") }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..24ff95c6cd7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/bash/shared.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+awk -F':' '{ if ($4 >= {{{ uid_min }}} && $4 != 65534) system("chmod -f g-w,o-w "$6"/.[^\.]?*") }' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..ca8ecb2b447
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/oval/shared.xml
|
||||
@@ -0,0 +1,52 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("User Initialization Files Must Not Run World-Writable Programs") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_accounts_user_dot_no_world_writable_programs"
|
||||
+ comment="User Initialization Files Must Not Run World-Writable Programs"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <unix:password_object id="object_accounts_user_dot_no_world_writable_programs_objects"
|
||||
+ version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_user_dot_no_world_writable_programs_interactive_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_user_dot_no_world_writable_programs_interactive_uids"
|
||||
+ version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <local_variable id="var_accounts_user_dot_no_world_writable_programs_dirs"
|
||||
+ datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir"
|
||||
+ object_ref="object_accounts_user_dot_no_world_writable_programs_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <unix:file_object id="object_accounts_user_dot_no_world_writable_programs_init_files"
|
||||
+ version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path var_ref="var_accounts_user_dot_no_world_writable_programs_dirs"
|
||||
+ var_check="at least one"/>
|
||||
+ <unix:filename operation="pattern match">^\..*</unix:filename>
|
||||
+ </unix:file_object>
|
||||
+
|
||||
+ <!-- #### creation of state #### -->
|
||||
+ <unix:file_state id="state_accounts_user_dot_no_world_writable_programs" version="1"
|
||||
+ operator='AND'>
|
||||
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
|
||||
+ <unix:owrite datatype="boolean">false</unix:owrite>
|
||||
+ </unix:file_state>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <unix:file_test id="test_accounts_user_dot_no_world_writable_programs" check="all"
|
||||
+ check_existence="any_exist" version="1"
|
||||
+ comment="All home directories have proper permissions">
|
||||
+ <unix:object object_ref="object_accounts_user_dot_no_world_writable_programs_init_files"/>
|
||||
+ <unix:state state_ref="state_accounts_user_dot_no_world_writable_programs"/>
|
||||
+ </unix:file_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..7a2b35eba77
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/expected_permissions.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chmod -f 755 /home/$USER/.*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..af240252de3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/home_dirs_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ed34f0940a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..5fcf95f5f96
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/lenient_permission.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+touch /home/$USER/.bashrc
|
||||
+chmod -f o+w /home/$USER/.bashrc
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..655c6d32e47
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/more_restrictive_permission.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chmod -f 700 /home/$USER/.*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..66439b768ca
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/tests/no_dot_file_ignored.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "$USER" > /home/$USER/$USER.txt
|
||||
+chmod -f o+w /home/$USER/$USER.txt
|
||||
|
||||
From f7f5735115ad3fa98fac8644aa844ed54d4d5dd7 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Fri, 5 Nov 2021 14:07:55 +0100
|
||||
Subject: [PATCH 4/4] OVAL, tests and remediation for rule:
|
||||
|
||||
accounts_umask_interactive_users
|
||||
---
|
||||
.../ansible/shared.yml | 12 ++++++
|
||||
.../bash/shared.sh | 9 +++++
|
||||
.../oval/shared.xml | 40 +++++++++++++++++++
|
||||
.../tests/home_dirs_all_absent.pass.sh | 6 +++
|
||||
.../tests/home_dirs_one_absent.pass.sh | 10 +++++
|
||||
.../tests/interactive_users_absent.pass.sh | 4 ++
|
||||
.../tests/no_dot_file_ignored.pass.sh | 5 +++
|
||||
.../tests/umask_defined.fail.sh | 5 +++
|
||||
8 files changed, 91 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..142f10a2157
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
@@ -0,0 +1,12 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+- name: Ensure interactive local users are the owners of their respective initialization files
|
||||
+ ansible.builtin.shell:
|
||||
+ cmd: |
|
||||
+ for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
|
||||
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
|
||||
+ done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..0644b221df8
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
|
||||
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..42dbdbbae46
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
||||
@@ -0,0 +1,40 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("Ensure the Default Umask is Set Correctly For Interactive Users") }}}
|
||||
+ <criteria>
|
||||
+ <criterion test_ref="test_accounts_umask_interactive_users"
|
||||
+ comment="Ensure the Default Umask is Set Correctly For Interactive Users"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <unix:password_object id="object_accounts_umask_interactive_users_objects" version="1">
|
||||
+ <unix:username datatype="string" operation="not equal">nobody</unix:username>
|
||||
+ <filter action="include">state_accounts_umask_interactive_users_interactive_uids</filter>
|
||||
+ </unix:password_object>
|
||||
+
|
||||
+ <unix:password_state id="state_accounts_umask_interactive_users_interactive_uids" version="1">
|
||||
+ <unix:user_id datatype="int" operation="greater than or equal">{{{ uid_min }}}</unix:user_id>
|
||||
+ </unix:password_state>
|
||||
+
|
||||
+ <local_variable id="var_accounts_umask_interactive_users_dirs" datatype="string" version="1"
|
||||
+ comment="Variable including all home dirs from interactive users">
|
||||
+ <object_component item_field="home_dir"
|
||||
+ object_ref="object_accounts_umask_interactive_users_objects"/>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- #### creation of object #### -->
|
||||
+ <ind:textfilecontent54_object id="object_accounts_umask_interactive_users"
|
||||
+ comment="Umask value from initialization files" version="1">
|
||||
+ <ind:path var_ref="var_accounts_umask_interactive_users_dirs" var_check="at least one"/>
|
||||
+ <ind:filename operation="pattern match">^\..*</ind:filename>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <!-- #### creation of test #### -->
|
||||
+ <ind:textfilecontent54_test id="test_accounts_umask_interactive_users" check="all"
|
||||
+ check_existence="none_exist" version="1"
|
||||
+ comment="Umask must not be defined in user initialization files">
|
||||
+ <ind:object object_ref="object_accounts_umask_interactive_users"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..af240252de3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_all_absent.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -M $USER
|
||||
+# This make sure home dirs related to test environment users are also removed.
|
||||
+rm -Rf /home/*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..0ad9248d14b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/home_dirs_one_absent.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER1="cac_user1"
|
||||
+USER2="cac_user2"
|
||||
+
|
||||
+useradd -m $USER1
|
||||
+useradd -M $USER2
|
||||
+
|
||||
+# Make sure no umask definition exists in the startup files
|
||||
+sed -i 's/^\([\s]*umask\s*\)/#\1/g' /home/$USER1/.[^\.]?*
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ed34f0940a7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/interactive_users_absent.pass.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# remove all interactive users (ID >= 1000) from /etc/passwd
|
||||
+sed -i '/.*:[0-9]\{4,\}:/d' /etc/passwd
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..27f580ae45a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/no_dot_file_ignored.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "umask 022" > /home/$USER/nodotfile
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..f7835392acf
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/umask_defined.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "umask 022" >> /home/$USER/.bashrc
|
@ -0,0 +1,74 @@
|
||||
From 1b7bd47bd8fa3f828aca0bf0add7fc188893ef11 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Tue, 21 Sep 2021 07:44:29 -0500
|
||||
Subject: [PATCH 1/2] Add STIG references for FIPS
|
||||
|
||||
---
|
||||
.../integrity/crypto/configure_bind_crypto_policy/rule.yml | 1 +
|
||||
.../software/integrity/crypto/configure_crypto_policy/rule.yml | 1 +
|
||||
.../integrity/crypto/configure_kerberos_crypto_policy/rule.yml | 1 +
|
||||
.../integrity/crypto/configure_libreswan_crypto_policy/rule.yml | 1 +
|
||||
.../software/integrity/fips/enable_dracut_fips_module/rule.yml | 1 +
|
||||
5 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||||
index 5484e11ad9f..e58c9506083 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
|
||||
@@ -29,6 +29,7 @@ identifiers:
|
||||
references:
|
||||
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1
|
||||
nist: SC-13,SC-12(2),SC-12(3)
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
srg: SRG-OS-000423-GPOS-00187,SRG-OS-000426-GPOS-00190
|
||||
|
||||
ocil_clause: |-
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||||
index d4ea4db6c14..5eea87ac006 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
|
||||
@@ -65,6 +65,7 @@ references:
|
||||
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
|
||||
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
|
||||
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
||||
|
||||
ocil_clause: 'cryptographic policy is not configured or is configured incorrectly'
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
|
||||
index b219c9d2801..e1f5e55e8cd 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
|
||||
@@ -28,6 +28,7 @@ references:
|
||||
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1
|
||||
nist: SC-13,SC-12(2),SC-12(3)
|
||||
srg: SRG-OS-000120-GPOS-00061
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
|
||||
ocil_clause: 'the symlink does not exist or points to a different target'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
|
||||
index cd03ecf30d1..1fffb2ad2b7 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
|
||||
@@ -33,6 +33,7 @@ references:
|
||||
nist: CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
|
||||
ospp: FCS_IPSEC_EXT.1.4,FCS_IPSEC_EXT.1.6
|
||||
srg: SRG-OS-000033-GPOS-00014
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
|
||||
ocil_clause: |-
|
||||
Libreswan is installed and <tt>/etc/ipsec.conf</tt> does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
||||
index 9486031be54..fe20c1958a6 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
||||
@@ -30,6 +30,7 @@ references:
|
||||
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1
|
||||
nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
|
||||
srg: SRG-OS-000478-GPOS-00223
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
|
||||
|
||||
ocil_clause: 'the Dracut FIPS module is not enabled'
|
||||
|
47
SOURCES/scap-security-guide-0.1.59-fix_6844-PR_7673.patch
Normal file
47
SOURCES/scap-security-guide-0.1.59-fix_6844-PR_7673.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 155a46f32b02fec3fa9a99d2a6fa2f1a5287fcaf Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Wed, 29 Sep 2021 09:43:56 -0500
|
||||
Subject: [PATCH] Add RHEL8 FIPS STIG ID to few rules
|
||||
|
||||
---
|
||||
.../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 +
|
||||
.../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml | 1 +
|
||||
.../crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml | 1 +
|
||||
3 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
index 9ac0b55f65a..2f4fb79eb54 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
@@ -29,6 +29,7 @@ references:
|
||||
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
|
||||
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
|
||||
srg: SRG-OS-000250-GPOS-00093
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
|
||||
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||||
index 682ca436b8d..adeae314fff 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||||
@@ -30,6 +30,7 @@ references:
|
||||
disa: CCI-001453
|
||||
nist: AC-17(2)
|
||||
srg: SRG-OS-000250-GPOS-00093
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
|
||||
ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
|
||||
index d21f68ac17a..12e527ca33d 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
|
||||
@@ -28,6 +28,7 @@ references:
|
||||
disa: CCI-001453
|
||||
nist: AC-17(2)
|
||||
srg: SRG-OS-000250-GPOS-00093
|
||||
+ stigid@rhel8: RHEL-08-010020
|
||||
|
||||
ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
|
||||
|
91
SOURCES/scap-security-guide-0.1.59-fix_7333-PR_7692.patch
Normal file
91
SOURCES/scap-security-guide-0.1.59-fix_7333-PR_7692.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From c988807382a5c0e307567def55fcedcb2e3b75b7 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Mon, 4 Oct 2021 12:18:05 -0500
|
||||
Subject: [PATCH 1/4] Update rsyslog_remote_loghost to match STIG and CIS
|
||||
|
||||
STIG and CIS only match *.conf files and we matched all files.
|
||||
Moving to match the benchmarks.
|
||||
|
||||
Fixes #7333
|
||||
---
|
||||
.../rsyslog_remote_loghost/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
|
||||
index 5895b7fab24..7b5d4968886 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
|
||||
@@ -39,7 +39,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="object_remote_loghost_rsyslog_d" version="1">
|
||||
<ind:path>/etc/rsyslog.d</ind:path>
|
||||
- <ind:filename operation="pattern match">.*</ind:filename>
|
||||
+ <ind:filename operation="pattern match">*.conf</ind:filename>
|
||||
<ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
From 19d72d76e6818f47e71245dece0d6faa62cfcdb1 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Mon, 4 Oct 2021 13:11:10 -0500
|
||||
Subject: [PATCH 3/4] Add packages so that test suite pass in a container
|
||||
|
||||
---
|
||||
.../rsyslog_remote_loghost/tests/line_commented.fail.sh | 1 +
|
||||
.../rsyslog_remote_loghost/tests/line_not_there.fail.sh | 1 +
|
||||
.../rsyslog_remote_loghost/tests/remote_configured.pass.sh | 1 +
|
||||
3 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_commented.fail.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_commented.fail.sh
|
||||
index 52376effea2..760606278b3 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_commented.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_commented.fail.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# packages = rsyslog
|
||||
|
||||
CONF_FILE="/etc/rsyslog.conf"
|
||||
LOGHOST_LINE="*.* @@192.168.122.1:5000"
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_not_there.fail.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_not_there.fail.sh
|
||||
index 8a55da88c8d..ac82180f21c 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_not_there.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/line_not_there.fail.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# packages = rsyslog
|
||||
|
||||
CONF_FILE="/etc/rsyslog.conf"
|
||||
sed -i "/^\*\.\*.*/d" "$CONF_FILE"
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/remote_configured.pass.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/remote_configured.pass.sh
|
||||
index 8122a490f25..3c396b4e52a 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/remote_configured.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/tests/remote_configured.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# packages = rsyslog
|
||||
|
||||
CONF_FILE="/etc/rsyslog.conf"
|
||||
LOGHOST_LINE="*.* @@192.168.122.1:5000"
|
||||
|
||||
From e7110e97c808b82a8d6d91c9da42f6c5422747cf Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Mon, 11 Oct 2021 11:33:13 -0500
|
||||
Subject: [PATCH 4/4] Fix regex on rsyslog_remote_loghost
|
||||
|
||||
---
|
||||
.../rsyslog_remote_loghost/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
|
||||
index 7b5d4968886..0fdd24e18c2 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
|
||||
@@ -39,7 +39,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="object_remote_loghost_rsyslog_d" version="1">
|
||||
<ind:path>/etc/rsyslog.d</ind:path>
|
||||
- <ind:filename operation="pattern match">*.conf</ind:filename>
|
||||
+ <ind:filename operation="pattern match">^.+\.conf$</ind:filename>
|
||||
<ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
@ -0,0 +1,51 @@
|
||||
From f74121fc8b4074854e7cd96cc276711e80b54131 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 18 Nov 2021 10:23:10 +0100
|
||||
Subject: [PATCH] Fix remediation for accounts_umask_interactive_users
|
||||
|
||||
Included logic to ensure sed command considers only hidden files,
|
||||
ignoring possible hidden folders.
|
||||
---
|
||||
.../accounts_umask_interactive_users/ansible/shared.yml | 4 +++-
|
||||
.../accounts_umask_interactive_users/bash/shared.sh | 4 +++-
|
||||
.../tests/hidden_folder_ignored.pass.sh | 5 +++++
|
||||
3 files changed, 11 insertions(+), 2 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/hidden_folder_ignored.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
index 142f10a2157..67064ac4a3b 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
@@ -8,5 +8,7 @@
|
||||
ansible.builtin.shell:
|
||||
cmd: |
|
||||
for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
|
||||
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
|
||||
+ for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
|
||||
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
|
||||
+ done
|
||||
done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
index 0644b221df8..f81fdfe41fd 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
@@ -5,5 +5,7 @@
|
||||
# disruption = low
|
||||
|
||||
for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
|
||||
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $dir/.[^\.]?*
|
||||
+ for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
|
||||
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
|
||||
+ done
|
||||
done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/hidden_folder_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/hidden_folder_ignored.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b9e1b7519ef
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/hidden_folder_ignored.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+mkdir /home/$USER/.hiddenfolder
|
@ -0,0 +1,759 @@
|
||||
commit 26f72c842ec184ed517fbf0d3224c421ad7cc9c6
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu Feb 24 18:33:50 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.59-multifile_templates-PR_7405.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
|
||||
deleted file mode 100644
|
||||
index f6f2ab4..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
|
||||
+++ /dev/null
|
||||
@@ -1,25 +0,0 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
-# reboot = false
|
||||
-# strategy = restrict
|
||||
-# complexity = medium
|
||||
-# disruption = medium
|
||||
-- name: "Read list libraries without root ownership"
|
||||
- find:
|
||||
- paths:
|
||||
- - "/usr/lib"
|
||||
- - "/usr/lib64"
|
||||
- - "/lib"
|
||||
- - "/lib64"
|
||||
- file_type: "directory"
|
||||
- register: library_dirs_not_group_owned_by_root
|
||||
-
|
||||
-- name: "Set group ownership of system library dirs to root"
|
||||
- file:
|
||||
- path: "{{ item.path }}"
|
||||
- group: "root"
|
||||
- state: "directory"
|
||||
- mode: "{{ item.mode }}"
|
||||
- with_items: "{{ library_dirs_not_group_owned_by_root.files }}"
|
||||
- when:
|
||||
- - library_dirs_not_group_owned_by_root.matched > 0
|
||||
- - item.gid != 0
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
|
||||
deleted file mode 100644
|
||||
index 365b983..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
|
||||
+++ /dev/null
|
||||
@@ -1,7 +0,0 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
-
|
||||
-find /lib \
|
||||
-/lib64 \
|
||||
-/usr/lib \
|
||||
-/usr/lib64 \
|
||||
-\! -group root -type d -exec chgrp root '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index 3af60ff..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,27 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="dir_group_ownership_library_dirs" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- directories therein, are group-owned by root.
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_dir_group_ownership_lib_dir" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library directories gid root" id="test_dir_group_ownership_lib_dir" version="1">
|
||||
- <unix:object object_ref="object_dir_group_ownership_lib_dir" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="library directories" id="object_dir_group_ownership_lib_dir" version="1">
|
||||
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
|
||||
- <unix:path operation="pattern match">(^\/lib(|64)\/|^\/usr\/lib(|64)\/)</unix:path>
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- <filter action="include">state_group_owner_library_dirs_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="state_group_owner_library_dirs_not_root" version="1">
|
||||
- <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
index 8c0acc0..10203c9 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: sle12,sle15,rhel8,fedora
|
||||
+prodtype: fedora,rhel8,sle12,sle15,ubuntu2004
|
||||
|
||||
title: 'Verify that Shared Library Directories Have Root Group Ownership'
|
||||
|
||||
@@ -40,6 +40,7 @@ references:
|
||||
stigid@rhel8: RHEL-08-010350
|
||||
stigid@sle12: SLES-12-010876
|
||||
stigid@sle15: SLES-15-010356
|
||||
+ stigid@ubuntu2004: UBTU-20-010431
|
||||
|
||||
ocil_clause: 'any of these directories are not group-owned by root'
|
||||
|
||||
@@ -52,3 +53,14 @@ ocil: |-
|
||||
For each of these directories, run the following command to find files not
|
||||
owned by root:
|
||||
<pre>$ sudo find -L <i>$DIR</i> ! -user root -type d -exec chgrp root {} \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ recursive: 'true'
|
||||
+ filegid: '0'
|
||||
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
|
||||
index ac96858..4c76824 100644
|
||||
--- a/products/ubuntu2004/profiles/stig.profile
|
||||
+++ b/products/ubuntu2004/profiles/stig.profile
|
||||
@@ -470,6 +470,7 @@ selections:
|
||||
# UBTU-20-010430 The Ubuntu operating system library files must be group-owned by root.
|
||||
|
||||
# UBTU-20-010431 The Ubuntu operating system library directories must be group-owned by root.
|
||||
+ - dir_group_ownership_library_dirs
|
||||
|
||||
# UBTU-20-010432 The Ubuntu operating system must be configured to preserve log records from failure events.
|
||||
- service_rsyslog_enabled
|
||||
diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template
|
||||
index 073d356..68fc2e1 100644
|
||||
--- a/shared/templates/file_groupowner/ansible.template
|
||||
+++ b/shared/templates/file_groupowner/ansible.template
|
||||
@@ -4,33 +4,44 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
+{{% for path in FILEPATH %}}
|
||||
{{% if IS_DIRECTORY and FILE_REGEX %}}
|
||||
|
||||
-- name: Find {{{ FILEPATH }}} file(s) matching {{{ FILE_REGEX }}}
|
||||
+- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
|
||||
find:
|
||||
- paths: "{{{ FILEPATH }}}"
|
||||
- patterns: "{{{ FILE_REGEX }}}"
|
||||
+ paths: "{{{ path }}}"
|
||||
+ patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
register: files_found
|
||||
|
||||
-- name: Ensure group owner on {{{ FILEPATH }}} file(s) matching {{{ FILE_REGEX }}}
|
||||
+- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
group: "{{{ FILEGID }}}"
|
||||
with_items:
|
||||
- "{{ files_found.files }}"
|
||||
|
||||
+{{% elif IS_DIRECTORY and RECURSIVE %}}
|
||||
+
|
||||
+- name: Ensure group owner on {{{ path }}} recursively
|
||||
+ file:
|
||||
+ path: "{{{ path }}}"
|
||||
+ state: directory
|
||||
+ recurse: yes
|
||||
+ group: "{{{ FILEGID }}}"
|
||||
+
|
||||
{{% else %}}
|
||||
|
||||
-- name: Test for existence {{{ FILEPATH }}}
|
||||
+- name: Test for existence {{{ path }}}
|
||||
stat:
|
||||
- path: "{{{ FILEPATH }}}"
|
||||
+ path: "{{{ path }}}"
|
||||
register: file_exists
|
||||
|
||||
-- name: Ensure group owner {{{ FILEGID }}} on {{{ FILEPATH }}}
|
||||
+- name: Ensure group owner {{{ FILEGID }}} on {{{ path }}}
|
||||
file:
|
||||
- path: "{{{ FILEPATH }}}"
|
||||
+ path: "{{{ path }}}"
|
||||
group: "{{{ FILEGID }}}"
|
||||
when: file_exists.stat is defined and file_exists.stat.exists
|
||||
|
||||
{{% endif %}}
|
||||
+{{% endfor %}}
|
||||
diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template
|
||||
index 442e015..982d2f3 100644
|
||||
--- a/shared/templates/file_groupowner/bash.template
|
||||
+++ b/shared/templates/file_groupowner/bash.template
|
||||
@@ -4,13 +4,17 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
+{{% for path in FILEPATH %}}
|
||||
{{% if IS_DIRECTORY and FILE_REGEX %}}
|
||||
-readarray -t files < <(find {{{ FILEPATH }}})
|
||||
+readarray -t files < <(find {{{ path }}})
|
||||
for file in "${files[@]}"; do
|
||||
- if basename $file | grep -q '{{{ FILE_REGEX }}}'; then
|
||||
+ if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
|
||||
chgrp {{{ FILEGID }}} $file
|
||||
fi
|
||||
done
|
||||
+{{% elif IS_DIRECTORY and RECURSIVE %}}
|
||||
+find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \;
|
||||
{{% else %}}
|
||||
-chgrp {{{ FILEGID }}} {{{ FILEPATH }}}
|
||||
+chgrp {{{ FILEGID }}} {{{ path }}}
|
||||
{{% endif %}}
|
||||
+{{% endfor %}}
|
||||
diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template
|
||||
index 1b637a6..fd2e5db 100644
|
||||
--- a/shared/templates/file_groupowner/oval.template
|
||||
+++ b/shared/templates/file_groupowner/oval.template
|
||||
@@ -1,8 +1,16 @@
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
|
||||
+ {{% if FILEPATH is not string %}}
|
||||
+ {{{ oval_metadata("This test makes sure that FILEPATH is group owned by " + FILEGID + ".") }}}
|
||||
+ <criteria>
|
||||
+ {{% for filepath in FILEPATH %}}
|
||||
+ <criterion comment="Check file group ownership of {{{ filepath }}}" test_ref="test_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" />
|
||||
+ {{% endfor %}}
|
||||
+ {{% else %}}
|
||||
{{{ oval_metadata("This test makes sure that " + FILEPATH + " is group owned by " + FILEGID + ".") }}}
|
||||
<criteria>
|
||||
<criterion comment="Check file group ownership of {{{ FILEPATH }}}" test_ref="test_file_groupowner{{{ FILEID }}}" />
|
||||
+ {{% endif %}}
|
||||
</criteria>
|
||||
</definition>
|
||||
{{%- if MISSING_FILE_PASS -%}}
|
||||
@@ -12,23 +20,31 @@
|
||||
{{# All defined files must exist. When using regex, at least one file must match #}}
|
||||
{{% set FILE_EXISTENCE = "all_exist" %}}
|
||||
{{%- endif -%}}
|
||||
- <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing group ownership of {{{ FILEPATH }}}" id="test_file_groupowner{{{ FILEID }}}" version="1">
|
||||
- <unix:object object_ref="object_file_groupowner{{{ FILEID }}}" />
|
||||
- <unix:state state_ref="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}" />
|
||||
+
|
||||
+
|
||||
+ {{% for filepath in FILEPATH %}}
|
||||
+ <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing group ownership of {{{ filepath }}}" id="test_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
|
||||
+ <unix:object object_ref="object_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" />
|
||||
+ <unix:state state_ref="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}_{{{ loop.index0 }}}" />
|
||||
</unix:file_test>
|
||||
- <unix:file_state id="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}" version="1">
|
||||
+ <unix:file_state id="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}_{{{ loop.index0 }}}" version="1">
|
||||
<unix:group_id datatype="int">{{{ FILEGID }}}</unix:group_id>
|
||||
</unix:file_state>
|
||||
- <unix:file_object comment="{{{ FILEPATH }}}" id="object_file_groupowner{{{ FILEID }}}" version="1">
|
||||
+ <unix:file_object comment="{{{ filepath }}}" id="object_file_groupowner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
|
||||
{{%- if IS_DIRECTORY -%}}
|
||||
- <unix:path>{{{ FILEPATH }}}</unix:path>
|
||||
- {{%- if FILE_REGEX -%}}
|
||||
- <unix:filename operation="pattern match">{{{ FILE_REGEX }}}</unix:filename>
|
||||
- {{%- else -%}}
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- {{%- endif -%}}
|
||||
- {{%- else -%}}
|
||||
- <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ FILEPATH }}}</unix:filepath>
|
||||
- {{%- endif -%}}
|
||||
+ {{%- if FILE_REGEX %}}
|
||||
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
|
||||
+ <unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
|
||||
+ {{%- elif RECURSIVE %}}
|
||||
+ <unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
|
||||
+ <unix:filename xsi:nil="true" />
|
||||
+ {{%- else %}}
|
||||
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
|
||||
+ <unix:filename xsi:nil="true" />
|
||||
+ {{%- endif %}}
|
||||
+ {{%- else %}}
|
||||
+ <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
|
||||
+ {{%- endif %}}
|
||||
</unix:file_object>
|
||||
+ {{% endfor %}}
|
||||
</def-group>
|
||||
diff --git a/shared/templates/file_groupowner/template.py b/shared/templates/file_groupowner/template.py
|
||||
index 2263ae8..10baed9 100644
|
||||
--- a/shared/templates/file_groupowner/template.py
|
||||
+++ b/shared/templates/file_groupowner/template.py
|
||||
@@ -1,12 +1,25 @@
|
||||
-from ssg.utils import parse_template_boolean_value
|
||||
+from ssg.utils import parse_template_boolean_value, check_conflict_regex_directory
|
||||
|
||||
def _file_owner_groupowner_permissions_regex(data):
|
||||
- data["is_directory"] = data["filepath"].endswith("/")
|
||||
- if "file_regex" in data and not data["is_directory"]:
|
||||
- raise ValueError(
|
||||
- "Used 'file_regex' key in rule '{0}' but filepath '{1}' does not "
|
||||
- "specify a directory. Append '/' to the filepath or remove the "
|
||||
- "'file_regex' key.".format(data["_rule_id"], data["filepath"]))
|
||||
+ # this avoids code duplicates
|
||||
+ if isinstance(data["filepath"], str):
|
||||
+ data["filepath"] = [data["filepath"]]
|
||||
+
|
||||
+ if "file_regex" in data:
|
||||
+ # we can have a list of filepaths, but only one regex
|
||||
+ # instead of declaring the same regex multiple times
|
||||
+ if isinstance(data["file_regex"], str):
|
||||
+ data["file_regex"] = [data["file_regex"]] * len(data["filepath"])
|
||||
+
|
||||
+ # if the length of filepaths and file_regex are not the same, then error.
|
||||
+ # in case we have multiple regexes for just one filepath, than we need
|
||||
+ # to declare that filepath multiple times
|
||||
+ if len(data["filepath"]) != len(data["file_regex"]):
|
||||
+ raise ValueError(
|
||||
+ "You should have one file_path per file_regex. Please check "
|
||||
+ "rule '{0}'".format(data["_rule_id"]))
|
||||
+
|
||||
+ check_conflict_regex_directory(data)
|
||||
|
||||
|
||||
def preprocess(data, lang):
|
||||
@@ -14,6 +27,10 @@ def preprocess(data, lang):
|
||||
|
||||
data["missing_file_pass"] = parse_template_boolean_value(data, parameter="missing_file_pass", default_value=False)
|
||||
|
||||
+ data["recursive"] = parse_template_boolean_value(data,
|
||||
+ parameter="recursive",
|
||||
+ default_value=False)
|
||||
+
|
||||
if lang == "oval":
|
||||
data["fileid"] = data["_rule_id"].replace("file_groupowner", "")
|
||||
return data
|
||||
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
|
||||
index 6083fbe..80eaae8 100644
|
||||
--- a/shared/templates/file_owner/ansible.template
|
||||
+++ b/shared/templates/file_owner/ansible.template
|
||||
@@ -4,33 +4,44 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
+{{% for path in FILEPATH %}}
|
||||
{{% if IS_DIRECTORY and FILE_REGEX %}}
|
||||
|
||||
-- name: Find {{{ FILEPATH }}} file(s) matching {{{ FILE_REGEX }}}
|
||||
+- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
|
||||
find:
|
||||
- paths: "{{{ FILEPATH }}}"
|
||||
- patterns: "{{{ FILE_REGEX }}}"
|
||||
+ paths: "{{{ path }}}"
|
||||
+ patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
register: files_found
|
||||
|
||||
-- name: Ensure group owner on {{{ FILEPATH }}} file(s) matching {{{ FILE_REGEX }}}
|
||||
+- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
owner: "{{{ FILEUID }}}"
|
||||
with_items:
|
||||
- "{{ files_found.files }}"
|
||||
|
||||
+{{% elif IS_DIRECTORY and RECURSIVE %}}
|
||||
+
|
||||
+- name: Ensure owner on {{{ path }}} recursively
|
||||
+ file:
|
||||
+ paths "{{{ path }}}"
|
||||
+ state: directory
|
||||
+ recurse: yes
|
||||
+ owner: "{{{ FILEUID }}}"
|
||||
+
|
||||
{{% else %}}
|
||||
|
||||
-- name: Test for existence {{{ FILEPATH }}}
|
||||
+- name: Test for existence {{{ path }}}
|
||||
stat:
|
||||
- path: "{{{ FILEPATH }}}"
|
||||
+ path: "{{{ path }}}"
|
||||
register: file_exists
|
||||
|
||||
-- name: Ensure owner {{{ FILEUID }}} on {{{ FILEPATH }}}
|
||||
+- name: Ensure owner {{{ FILEUID }}} on {{{ path }}}
|
||||
file:
|
||||
- path: "{{{ FILEPATH }}}"
|
||||
+ path: "{{{ path }}}"
|
||||
owner: "{{{ FILEUID }}}"
|
||||
when: file_exists.stat is defined and file_exists.stat.exists
|
||||
|
||||
{{% endif %}}
|
||||
+{{% endfor %}}
|
||||
diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template
|
||||
index 16025b7..27b5a2a 100644
|
||||
--- a/shared/templates/file_owner/bash.template
|
||||
+++ b/shared/templates/file_owner/bash.template
|
||||
@@ -4,13 +4,17 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
+{{% for path in FILEPATH %}}
|
||||
{{% if IS_DIRECTORY and FILE_REGEX %}}
|
||||
-readarray -t files < <(find {{{ FILEPATH }}})
|
||||
+readarray -t files < <(find {{{ path }}})
|
||||
for file in "${files[@]}"; do
|
||||
- if basename $file | grep -q '{{{ FILE_REGEX }}}'; then
|
||||
+ if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
|
||||
chown {{{ FILEUID }}} $file
|
||||
fi
|
||||
done
|
||||
+{{% elif IS_DIRECTORY and RECURSIVE %}}
|
||||
+find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;
|
||||
{{% else %}}
|
||||
-chown {{{ FILEUID }}} {{{ FILEPATH }}}
|
||||
+chown {{{ FILEUID }}} {{{ path }}}
|
||||
{{% endif %}}
|
||||
+{{% endfor %}}
|
||||
diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
|
||||
index 23ac161..105e29c 100644
|
||||
--- a/shared/templates/file_owner/oval.template
|
||||
+++ b/shared/templates/file_owner/oval.template
|
||||
@@ -1,8 +1,16 @@
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
|
||||
+ {{% if FILEPATH is not string %}}
|
||||
+ {{{ oval_metadata("This test makes sure that FILEPATH is owned by " + FILEUID + ".") }}}
|
||||
+ <criteria>
|
||||
+ {{% for filepath in FILEPATH %}}
|
||||
+ <criterion comment="Check file ownership of {{{ filepath }}}" test_ref="test_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" />
|
||||
+ {{% endfor %}}
|
||||
+ {{% else %}}
|
||||
{{{ oval_metadata("This test makes sure that " + FILEPATH + " is owned by " + FILEUID + ".") }}}
|
||||
<criteria>
|
||||
<criterion comment="Check file ownership of {{{ FILEPATH }}}" test_ref="test_file_owner{{{ FILEID }}}" />
|
||||
+ {{% endif %}}
|
||||
</criteria>
|
||||
</definition>
|
||||
{{%- if MISSING_FILE_PASS -%}}
|
||||
@@ -12,23 +20,30 @@
|
||||
{{# All defined files must exist. When using regex, at least one file must match #}}
|
||||
{{% set FILE_EXISTENCE = "all_exist" %}}
|
||||
{{%- endif -%}}
|
||||
- <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing user ownership of {{{ FILEPATH }}}" id="test_file_owner{{{ FILEID }}}" version="1">
|
||||
- <unix:object object_ref="object_file_owner{{{ FILEID }}}" />
|
||||
- <unix:state state_ref="state_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" />
|
||||
+
|
||||
+ {{% for filepath in FILEPATH %}}
|
||||
+ <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing user ownership of {{{ filepath }}}" id="test_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
|
||||
+ <unix:object object_ref="object_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" />
|
||||
+ <unix:state state_ref="state_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}_{{{ loop.index0 }}}" />
|
||||
</unix:file_test>
|
||||
- <unix:file_state id="state_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" version="1">
|
||||
+ <unix:file_state id="state_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}_{{{ loop.index0 }}}" version="1">
|
||||
<unix:user_id datatype="int">{{{ FILEUID }}}</unix:user_id>
|
||||
</unix:file_state>
|
||||
- <unix:file_object comment="{{{ FILEPATH }}}" id="object_file_owner{{{ FILEID }}}" version="1">
|
||||
+ <unix:file_object comment="{{{ filepath }}}" id="object_file_owner{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
|
||||
{{%- if IS_DIRECTORY -%}}
|
||||
- <unix:path>{{{ FILEPATH }}}</unix:path>
|
||||
- {{%- if FILE_REGEX -%}}
|
||||
- <unix:filename operation="pattern match">{{{ FILE_REGEX }}}</unix:filename>
|
||||
- {{%- else -%}}
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- {{%- endif -%}}
|
||||
- {{%- else -%}}
|
||||
- <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ FILEPATH }}}</unix:filepath>
|
||||
- {{%- endif -%}}
|
||||
+ {{%- if FILE_REGEX %}}
|
||||
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
|
||||
+ <unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
|
||||
+ {{%- elif RECURSIVE %}}
|
||||
+ <unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
|
||||
+ <unix:filename xsi:nil="true" />
|
||||
+ {{%- else %}}
|
||||
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
|
||||
+ <unix:filename xsi:nil="true" />
|
||||
+ {{%- endif %}}
|
||||
+ {{%- else %}}
|
||||
+ <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
|
||||
+ {{%- endif %}}
|
||||
</unix:file_object>
|
||||
+ {{% endfor %}}
|
||||
</def-group>
|
||||
diff --git a/shared/templates/file_owner/template.py b/shared/templates/file_owner/template.py
|
||||
index 0dd0008..1391dcf 100644
|
||||
--- a/shared/templates/file_owner/template.py
|
||||
+++ b/shared/templates/file_owner/template.py
|
||||
@@ -1,12 +1,25 @@
|
||||
-from ssg.utils import parse_template_boolean_value
|
||||
+from ssg.utils import parse_template_boolean_value, check_conflict_regex_directory
|
||||
|
||||
def _file_owner_groupowner_permissions_regex(data):
|
||||
- data["is_directory"] = data["filepath"].endswith("/")
|
||||
- if "file_regex" in data and not data["is_directory"]:
|
||||
- raise ValueError(
|
||||
- "Used 'file_regex' key in rule '{0}' but filepath '{1}' does not "
|
||||
- "specify a directory. Append '/' to the filepath or remove the "
|
||||
- "'file_regex' key.".format(data["_rule_id"], data["filepath"]))
|
||||
+ # this avoids code duplicates
|
||||
+ if isinstance(data["filepath"], str):
|
||||
+ data["filepath"] = [data["filepath"]]
|
||||
+
|
||||
+ if "file_regex" in data:
|
||||
+ # we can have a list of filepaths, but only one regex
|
||||
+ # instead of declaring the same regex multiple times
|
||||
+ if isinstance(data["file_regex"], str):
|
||||
+ data["file_regex"] = [data["file_regex"]] * len(data["filepath"])
|
||||
+
|
||||
+ # if the length of filepaths and file_regex are not the same, then error.
|
||||
+ # in case we have multiple regexes for just one filepath, than we need
|
||||
+ # to declare that filepath multiple times
|
||||
+ if len(data["filepath"]) != len(data["file_regex"]):
|
||||
+ raise ValueError(
|
||||
+ "You should have one file_path per file_regex. Please check "
|
||||
+ "rule '{0}'".format(data["_rule_id"]))
|
||||
+
|
||||
+ check_conflict_regex_directory(data)
|
||||
|
||||
|
||||
def preprocess(data, lang):
|
||||
@@ -14,6 +27,10 @@ def preprocess(data, lang):
|
||||
|
||||
data["missing_file_pass"] = parse_template_boolean_value(data, parameter="missing_file_pass", default_value=False)
|
||||
|
||||
+ data["recursive"] = parse_template_boolean_value(data,
|
||||
+ parameter="recursive",
|
||||
+ default_value=False)
|
||||
+
|
||||
if lang == "oval":
|
||||
data["fileid"] = data["_rule_id"].replace("file_owner", "")
|
||||
return data
|
||||
diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template
|
||||
index 029d03f..fc211bd 100644
|
||||
--- a/shared/templates/file_permissions/ansible.template
|
||||
+++ b/shared/templates/file_permissions/ansible.template
|
||||
@@ -3,33 +3,45 @@
|
||||
# strategy = configure
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
+
|
||||
+{{% for path in FILEPATH %}}
|
||||
{{% if IS_DIRECTORY and FILE_REGEX %}}
|
||||
|
||||
-- name: Find {{{ FILEPATH }}} file(s)
|
||||
+- name: Find {{{ path }}} file(s)
|
||||
find:
|
||||
- paths: "{{{ FILEPATH }}}"
|
||||
- patterns: "{{{ FILE_REGEX }}}"
|
||||
+ paths: "{{{ path }}}"
|
||||
+ patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
register: files_found
|
||||
|
||||
-- name: Set permissions for {{{ FILEPATH }}} file(s)
|
||||
+- name: Set permissions for {{{ path }}} file(s)
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
mode: "{{{ FILEMODE }}}"
|
||||
with_items:
|
||||
- "{{ files_found.files }}"
|
||||
|
||||
+{{% elif IS_DIRECTORY and RECURSIVE %}}
|
||||
+
|
||||
+- name: Set permissions for {{{ path }}} recursively
|
||||
+ file:
|
||||
+ path: "{{{ path }}}"
|
||||
+ state: directory
|
||||
+ recurse: yes
|
||||
+ mode: "{{{ FILEMODE }}}"
|
||||
+
|
||||
{{% else %}}
|
||||
|
||||
-- name: Test for existence {{{ FILEPATH }}}
|
||||
+- name: Test for existence {{{ path }}}
|
||||
stat:
|
||||
- path: "{{{ FILEPATH }}}"
|
||||
+ path: "{{{ path }}}"
|
||||
register: file_exists
|
||||
|
||||
-- name: Ensure permission {{{ FILEMODE }}} on {{{ FILEPATH }}}
|
||||
+- name: Ensure permission {{{ FILEMODE }}} on {{{ path }}}
|
||||
file:
|
||||
- path: "{{{ FILEPATH }}}"
|
||||
+ path: "{{{ path }}}"
|
||||
mode: "{{{ FILEMODE }}}"
|
||||
when: file_exists.stat is defined and file_exists.stat.exists
|
||||
|
||||
{{% endif %}}
|
||||
+{{% endfor %}}
|
||||
diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template
|
||||
index af9cf4e..e0d8fe9 100644
|
||||
--- a/shared/templates/file_permissions/bash.template
|
||||
+++ b/shared/templates/file_permissions/bash.template
|
||||
@@ -4,13 +4,17 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
+{{% for path in FILEPATH %}}
|
||||
{{% if IS_DIRECTORY and FILE_REGEX %}}
|
||||
-readarray -t files < <(find {{{ FILEPATH }}})
|
||||
+readarray -t files < <(find {{{ path }}})
|
||||
for file in "${files[@]}"; do
|
||||
- if basename $file | grep -q '{{{ FILE_REGEX }}}'; then
|
||||
+ if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then
|
||||
chmod {{{ FILEMODE }}} $file
|
||||
fi
|
||||
done
|
||||
+{{% elif IS_DIRECTORY and RECURSIVE %}}
|
||||
+find -L {{{ path }}} -type d -exec chmod {{{ FILEMODE }}} {} \;
|
||||
{{% else %}}
|
||||
-chmod {{{ FILEMODE }}} {{{ FILEPATH }}}
|
||||
+chmod {{{ FILEMODE }}} {{{ path }}}
|
||||
{{% endif %}}
|
||||
+{{% endfor %}}
|
||||
diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template
|
||||
index f570ff8..89083e8 100644
|
||||
--- a/shared/templates/file_permissions/oval.template
|
||||
+++ b/shared/templates/file_permissions/oval.template
|
||||
@@ -16,31 +16,47 @@
|
||||
{{%- endif -%}}
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
|
||||
- {{{ oval_metadata("This test makes sure that " + FILEPATH + " has mode " + FILEMODE + ".
|
||||
+ {{% if FILEPATH is not string %}}
|
||||
+ {{{ oval_metadata("This test makes sure that FILEPATH has mode " + FILEMODE + ".
|
||||
+ If the target file or directory has an extended ACL, then it will fail the mode check.
|
||||
+ ") }}}
|
||||
+ <criteria>
|
||||
+ {{% for filepath in FILEPATH %}}
|
||||
+ <criterion comment="Check file mode of {{{ filepath }}}" test_ref="test_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}"{{{ ' negate="true"' if ALLOW_STRICTER_PERMISSIONS }}}/>
|
||||
+ {{% endfor %}}
|
||||
+ {{% else %}}
|
||||
+ {{{ oval_metadata("This test makes sure that " + FILEPATH + " has mode " + FILEMODE + ".
|
||||
If the target file or directory has an extended ACL, then it will fail the mode check.
|
||||
") }}}
|
||||
<criteria>
|
||||
<criterion comment="Check file mode of {{{ FILEPATH }}}" test_ref="test_file_permissions{{{ FILEID }}}"{{{ ' negate="true"' if ALLOW_STRICTER_PERMISSIONS }}}/>
|
||||
+ {{% endif %}}
|
||||
</criteria>
|
||||
</definition>
|
||||
- <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing mode of {{{ FILEPATH }}}" id="test_file_permissions{{{ FILEID }}}" version="2">
|
||||
- <unix:object object_ref="object_file_permissions{{{ FILEID }}}" />
|
||||
- <unix:state state_ref="state_file_permissions{{{ FILEID }}}_mode_{{{ 'not_' if ALLOW_STRICTER_PERMISSIONS }}}{{{ FILEMODE }}}" />
|
||||
- </unix:file_test>
|
||||
- <unix:file_state id="state_file_permissions{{{ FILEID }}}_mode_{{{ 'not_' if ALLOW_STRICTER_PERMISSIONS }}}{{{ FILEMODE }}}"{{{ ' operator="OR"' if ALLOW_STRICTER_PERMISSIONS }}} version="2">
|
||||
+
|
||||
+ {{% for filepath in FILEPATH %}}
|
||||
+ <unix:file_test check="all" check_existence="{{{ FILE_EXISTENCE }}}" comment="Testing mode of {{{ filepath }}}" id="test_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" version="2">
|
||||
+ <unix:object object_ref="object_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" />
|
||||
+ <unix:state state_ref="state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_{{{ 'not_' if ALLOW_STRICTER_PERMISSIONS }}}{{{ FILEMODE }}}" />
|
||||
+ </unix:file_test>
|
||||
+ <unix:file_state id="state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_{{{ 'not_' if ALLOW_STRICTER_PERMISSIONS }}}{{{ FILEMODE }}}"{{{ ' operator="OR"' if ALLOW_STRICTER_PERMISSIONS }}} version="2">
|
||||
{{{ STATEMODE | indent(6) }}}
|
||||
- </unix:file_state>
|
||||
- <unix:file_object comment="{{{ FILEPATH }}}" id="object_file_permissions{{{ FILEID }}}" version="1">
|
||||
+ </unix:file_state>
|
||||
+ <unix:file_object comment="{{{ filepath }}}" id="object_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}" version="1">
|
||||
|
||||
{{%- if IS_DIRECTORY %}}
|
||||
- <unix:path>{{{ FILEPATH }}}</unix:path>
|
||||
{{%- if FILE_REGEX %}}
|
||||
- <unix:filename operation="pattern match">{{{ FILE_REGEX }}}</unix:filename>
|
||||
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
|
||||
+ <unix:filename operation="pattern match">{{{ FILE_REGEX[loop.index0] }}}</unix:filename>
|
||||
+ {{%- elif RECURSIVE %}}
|
||||
+ <unix:path operation="pattern match">{{{ filepath[:-1] }}}</unix:path>
|
||||
+ <unix:filename xsi:nil="true" />
|
||||
{{%- else %}}
|
||||
+ <unix:path>{{{ filepath[:-1] }}}</unix:path>
|
||||
<unix:filename xsi:nil="true" />
|
||||
{{%- endif %}}
|
||||
{{%- else %}}
|
||||
- <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ FILEPATH }}}</unix:filepath>
|
||||
+ <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
|
||||
{{%- endif %}}
|
||||
|
||||
{{%- if ALLOW_STRICTER_PERMISSIONS %}}
|
||||
@@ -49,8 +65,8 @@
|
||||
https://github.com/OpenSCAP/openscap/pull/1709 but this line should be kept until the
|
||||
fix is widely available. The fix is expected to be part of OpenSCAP >= 1.3.5.
|
||||
#}}
|
||||
- <filter action="include">state_file_permissions{{{ FILEID }}}_mode_not_{{{ FILEMODE }}}</filter>
|
||||
+ <filter action="include">state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_not_{{{ FILEMODE }}}</filter>
|
||||
{{%- endif %}}
|
||||
-
|
||||
- </unix:file_object>
|
||||
+ </unix:file_object>
|
||||
+ {{% endfor %}}
|
||||
</def-group>
|
||||
diff --git a/shared/templates/file_permissions/template.py b/shared/templates/file_permissions/template.py
|
||||
index 677e083..6e20a62 100644
|
||||
--- a/shared/templates/file_permissions/template.py
|
||||
+++ b/shared/templates/file_permissions/template.py
|
||||
@@ -1,12 +1,25 @@
|
||||
-from ssg.utils import parse_template_boolean_value
|
||||
+from ssg.utils import parse_template_boolean_value, check_conflict_regex_directory
|
||||
|
||||
def _file_owner_groupowner_permissions_regex(data):
|
||||
- data["is_directory"] = data["filepath"].endswith("/")
|
||||
- if "file_regex" in data and not data["is_directory"]:
|
||||
- raise ValueError(
|
||||
- "Used 'file_regex' key in rule '{0}' but filepath '{1}' does not "
|
||||
- "specify a directory. Append '/' to the filepath or remove the "
|
||||
- "'file_regex' key.".format(data["_rule_id"], data["filepath"]))
|
||||
+ # this avoids code duplicates
|
||||
+ if isinstance(data["filepath"], str):
|
||||
+ data["filepath"] = [data["filepath"]]
|
||||
+
|
||||
+ if "file_regex" in data:
|
||||
+ # we can have a list of filepaths, but only one regex
|
||||
+ # instead of declaring the same regex multiple times
|
||||
+ if isinstance(data["file_regex"], str):
|
||||
+ data["file_regex"] = [data["file_regex"]] * len(data["filepath"])
|
||||
+
|
||||
+ # if the length of filepaths and file_regex are not the same, then error.
|
||||
+ # in case we have multiple regexes for just one filepath, than we need
|
||||
+ # to declare that filepath multiple times
|
||||
+ if len(data["filepath"]) != len(data["file_regex"]):
|
||||
+ raise ValueError(
|
||||
+ "You should have one file_path per file_regex. Please check "
|
||||
+ "rule '{0}'".format(data["_rule_id"]))
|
||||
+
|
||||
+ check_conflict_regex_directory(data)
|
||||
|
||||
|
||||
def preprocess(data, lang):
|
||||
@@ -16,6 +29,10 @@ def preprocess(data, lang):
|
||||
|
||||
data["missing_file_pass"] = parse_template_boolean_value(data, parameter="missing_file_pass", default_value=False)
|
||||
|
||||
+ data["recursive"] = parse_template_boolean_value(data,
|
||||
+ parameter="recursive",
|
||||
+ default_value=False)
|
||||
+
|
||||
if lang == "oval":
|
||||
data["fileid"] = data["_rule_id"].replace("file_permissions", "")
|
||||
# build the state that describes our mode
|
||||
diff --git a/ssg/utils.py b/ssg/utils.py
|
||||
index b0ded09..2248b1e 100644
|
||||
--- a/ssg/utils.py
|
||||
+++ b/ssg/utils.py
|
||||
@@ -303,3 +303,25 @@ def parse_template_boolean_value(data, parameter, default_value):
|
||||
raise ValueError(
|
||||
"Template parameter {} used in rule {} cannot accept the "
|
||||
"value {}".format(parameter, data["_rule_id"], value))
|
||||
+
|
||||
+
|
||||
+def check_conflict_regex_directory(data):
|
||||
+ """
|
||||
+ Validate that either all path are directories OR file_regex exists.
|
||||
+
|
||||
+ Throws ValueError.
|
||||
+ """
|
||||
+ for f in data["filepath"]:
|
||||
+ if "is_directory" in data and data["is_directory"] != f.endswith("/"):
|
||||
+ raise ValueError(
|
||||
+ "If passing a list of filepaths, all of them need to be "
|
||||
+ "either directories or files. Mixing is not possible. "
|
||||
+ "Please fix rules '{0}' filepath '{1}'".format(data["_rule_id"], f))
|
||||
+
|
||||
+ data["is_directory"] = f.endswith("/")
|
||||
+
|
||||
+ if "file_regex" in data and not data["is_directory"]:
|
||||
+ raise ValueError(
|
||||
+ "Used 'file_regex' key in rule '{0}' but filepath '{1}' does not "
|
||||
+ "specify a directory. Append '/' to the filepath or remove the "
|
||||
+ "'file_regex' key.".format(data["_rule_id"], f))
|
@ -0,0 +1,245 @@
|
||||
From b8fd95776ce894006163b2bb5e34682e5844ca1e Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Thu, 21 Oct 2021 14:43:51 -0500
|
||||
Subject: [PATCH 1/5] Always esacpe parameter in ansible_set_config_file
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 5 +++--
|
||||
.../ansible/shared.yml | 5 +++--
|
||||
.../ansible/shared.yml | 5 +++--
|
||||
shared/macros-ansible.jinja | 17 ++++++++++-------
|
||||
4 files changed, 19 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
|
||||
index 637f90003b2..ca5a405f877 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
|
||||
@@ -5,5 +5,6 @@
|
||||
# disruption = low
|
||||
|
||||
{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
|
||||
- "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s',
|
||||
- value="x509/name", create='yes') }}}
|
||||
+ "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s',
|
||||
+ value="x509/name", create='yes')
|
||||
+}}}
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
|
||||
index 5d11103fc0f..1f001f47e07 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
|
||||
@@ -4,6 +4,7 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
-{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
|
||||
- parameter="$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
|
||||
+{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
|
||||
+ parameter="$ActionSendStreamDriverMode", value="1", create=true, separator=" ",
|
||||
+ separator_regex=" ")
|
||||
}}}
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
index 035ab152876..4016a08721e 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
@@ -4,6 +4,7 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
-{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
|
||||
- parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
|
||||
+{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
|
||||
+ parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" "
|
||||
+ , separator_regex=" ")
|
||||
}}}
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 563350743fe..0f8dba56dab 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -25,14 +25,17 @@ value: "Setting={{ varname1 }}"
|
||||
|
||||
Note that all string-like parameters are single quoted in the YAML.
|
||||
#}}
|
||||
-{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False) -%}}
|
||||
+{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False, escape_regex=False) -%}}
|
||||
- name: "{{{ msg or rule_title }}}"
|
||||
lineinfile:
|
||||
path: '{{{ path }}}'
|
||||
create: {{{ create }}}
|
||||
- {{%- if regex %}}
|
||||
+ {{%- if regex and not escape_regex %}}
|
||||
regexp: '{{{ regex }}}'
|
||||
{{%- endif %}}
|
||||
+ {{%- if regex and escape_regex %}}
|
||||
+ regexp: '{{ {{{ regex }}} | regex_escape }}'
|
||||
+ {{%- endif %}}
|
||||
{{%- if state == 'present' %}}
|
||||
line: '{{{ new_line }}}'
|
||||
state: present
|
||||
@@ -121,7 +124,7 @@ value: "Setting={{ varname1 }}"
|
||||
ini configuration files are best served with the ini Ansible module
|
||||
instead of lineinfile-based solutions.
|
||||
#}}
|
||||
-{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='') %}}
|
||||
+{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='', escape_regex=False) %}}
|
||||
{{{ ansible_only_lineinfile(msg, file, prefix_regex + parameter + separator_regex, parameter + separator + value, create=create, block=True, validate=validate, insert_after=insert_after, insert_before=insert_before) }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
@@ -143,12 +146,12 @@ value: "Setting={{ varname1 }}"
|
||||
{{%- set new_line = parameter + separator + value -%}}
|
||||
- name: '{{{ msg or rule_title }}}'
|
||||
block:
|
||||
- {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True)|indent }}}
|
||||
- {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1')|indent }}}
|
||||
+ {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True, escape_regex=True)|indent }}}
|
||||
+ {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1', escape_regex=True)|indent }}}
|
||||
{{{ ansible_stat("Check if " + config_dir + " exists", path=config_dir, register=dir_exists)|indent }}}
|
||||
{{{ ansible_find("Check if the parameter " + parameter + " is present in " + config_dir, paths=config_dir, contains=line_regex, register=dir_parameter, when=find_when)|indent }}}
|
||||
- {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when)|indent }}}
|
||||
- {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before)|indent }}}
|
||||
+ {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when, escape_regex=True)|indent }}}
|
||||
+ {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before, escape_regex=True)|indent }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
{{#
|
||||
|
||||
From 5635bf94c9274511e3d63feb8d4082c4ec9144f3 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Tue, 26 Oct 2021 13:01:27 -0500
|
||||
Subject: [PATCH 2/5] Fix a couple items from reviewers on ansible_lineinfile
|
||||
escaping
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 4 ++--
|
||||
shared/macros-ansible.jinja | 3 +--
|
||||
2 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
index 4016a08721e..3cc18d4476e 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
|
||||
@@ -5,6 +5,6 @@
|
||||
# disruption = low
|
||||
|
||||
{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
|
||||
- parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" "
|
||||
- , separator_regex=" ")
|
||||
+ parameter="$DefaultNetstreamDriver", value="gtls", create=true,
|
||||
+ separator=" ", separator_regex=" ")
|
||||
}}}
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 0f8dba56dab..752d220bbfc 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -32,8 +32,7 @@ value: "Setting={{ varname1 }}"
|
||||
create: {{{ create }}}
|
||||
{{%- if regex and not escape_regex %}}
|
||||
regexp: '{{{ regex }}}'
|
||||
- {{%- endif %}}
|
||||
- {{%- if regex and escape_regex %}}
|
||||
+ {{%- elif regex and escape_regex %}}
|
||||
regexp: '{{ {{{ regex }}} | regex_escape }}'
|
||||
{{%- endif %}}
|
||||
{{%- if state == 'present' %}}
|
||||
|
||||
From f6541126a4d19bfef8752028467659ab9d9f74ed Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Tue, 2 Nov 2021 08:32:18 -0500
|
||||
Subject: [PATCH 3/5] Fix escaping in ansible_lineinfile macro
|
||||
|
||||
---
|
||||
shared/macros-ansible.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 752d220bbfc..1e0ba6260bb 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -33,7 +33,7 @@ value: "Setting={{ varname1 }}"
|
||||
{{%- if regex and not escape_regex %}}
|
||||
regexp: '{{{ regex }}}'
|
||||
{{%- elif regex and escape_regex %}}
|
||||
- regexp: '{{ {{{ regex }}} | regex_escape }}'
|
||||
+ regexp: {{{ regex }}} | regex_escape
|
||||
{{%- endif %}}
|
||||
{{%- if state == 'present' %}}
|
||||
line: '{{{ new_line }}}'
|
||||
|
||||
From ef6d300a707dc272eaa9442ece135009287bfdf5 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Wed, 3 Nov 2021 11:15:11 -0500
|
||||
Subject: [PATCH 4/5] Move regex_escape to ansible_set_config_file_dir
|
||||
|
||||
---
|
||||
shared/macros-ansible.jinja | 16 +++++++---------
|
||||
1 file changed, 7 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 1e0ba6260bb..8e7ce1a1206 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -25,15 +25,13 @@ value: "Setting={{ varname1 }}"
|
||||
|
||||
Note that all string-like parameters are single quoted in the YAML.
|
||||
#}}
|
||||
-{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False, escape_regex=False) -%}}
|
||||
+{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False) -%}}
|
||||
- name: "{{{ msg or rule_title }}}"
|
||||
lineinfile:
|
||||
path: '{{{ path }}}'
|
||||
create: {{{ create }}}
|
||||
- {{%- if regex and not escape_regex %}}
|
||||
+ {{%- if regex %}}
|
||||
regexp: '{{{ regex }}}'
|
||||
- {{%- elif regex and escape_regex %}}
|
||||
- regexp: {{{ regex }}} | regex_escape
|
||||
{{%- endif %}}
|
||||
{{%- if state == 'present' %}}
|
||||
line: '{{{ new_line }}}'
|
||||
@@ -138,19 +136,19 @@ value: "Setting={{ varname1 }}"
|
||||
{{%- set var_dir = config_dir | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
|
||||
{{%- set dir_exists = var_dir + "_exists" -%}}
|
||||
{{%- set dir_parameter = var_dir + "_has_parameter" -%}}
|
||||
-{{%- set line_regex = prefix_regex + parameter + separator_regex -%}}
|
||||
+{{%- set line_regex = prefix_regex + "{{\"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
|
||||
{{%- set find_when = dir_exists + ".stat.isdir is defined and " + dir_exists + ".stat.isdir" -%}}
|
||||
{{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}}
|
||||
{{%- set lineinfile_when = dir_parameter + ".matched" -%}}
|
||||
{{%- set new_line = parameter + separator + value -%}}
|
||||
- name: '{{{ msg or rule_title }}}'
|
||||
block:
|
||||
- {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True, escape_regex=True)|indent }}}
|
||||
- {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1', escape_regex=True)|indent }}}
|
||||
+ {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True)|indent }}}
|
||||
+ {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1')|indent }}}
|
||||
{{{ ansible_stat("Check if " + config_dir + " exists", path=config_dir, register=dir_exists)|indent }}}
|
||||
{{{ ansible_find("Check if the parameter " + parameter + " is present in " + config_dir, paths=config_dir, contains=line_regex, register=dir_parameter, when=find_when)|indent }}}
|
||||
- {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when, escape_regex=True)|indent }}}
|
||||
- {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before, escape_regex=True)|indent }}}
|
||||
+ {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when)|indent }}}
|
||||
+ {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before)|indent }}}
|
||||
{{%- endmacro %}}
|
||||
|
||||
{{#
|
||||
|
||||
From c29550ef26fc283ce5e72038fddf70aa716f4d1c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Burket <mburket@redhat.com>
|
||||
Date: Thu, 4 Nov 2021 08:53:42 -0500
|
||||
Subject: [PATCH 5/5] Fix ansible-lint lint issues
|
||||
|
||||
---
|
||||
shared/macros-ansible.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
||||
index 8e7ce1a1206..76f05e76b88 100644
|
||||
--- a/shared/macros-ansible.jinja
|
||||
+++ b/shared/macros-ansible.jinja
|
||||
@@ -136,7 +136,7 @@ value: "Setting={{ varname1 }}"
|
||||
{{%- set var_dir = config_dir | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
|
||||
{{%- set dir_exists = var_dir + "_exists" -%}}
|
||||
{{%- set dir_parameter = var_dir + "_has_parameter" -%}}
|
||||
-{{%- set line_regex = prefix_regex + "{{\"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
|
||||
+{{%- set line_regex = prefix_regex + "{{ \"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
|
||||
{{%- set find_when = dir_exists + ".stat.isdir is defined and " + dir_exists + ".stat.isdir" -%}}
|
||||
{{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}}
|
||||
{{%- set lineinfile_when = dir_parameter + ".matched" -%}}
|
@ -0,0 +1,71 @@
|
||||
From a5cce64337e8b8617f3bf3ee1311e80d652754ea Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 14 Oct 2021 12:12:16 +0200
|
||||
Subject: [PATCH] Set sshd priv keys permissions 600 for all products.
|
||||
|
||||
---
|
||||
.../file_permissions_sshd_private_key/rule.yml | 15 +++------------
|
||||
.../tests/correct_value.pass.sh | 8 +-------
|
||||
.../tests/multiple_keys.fail.sh | 2 +-
|
||||
4 files changed, 7 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
index bda7ae4d53b..ddda4075e21 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
||||
@@ -3,11 +3,7 @@ documentation_complete: true
|
||||
title: 'Verify Permissions on SSH Server Private *_key Key Files'
|
||||
|
||||
description: |-
|
||||
- {{% if product in ['ubuntu1804','opensuse', 'sle12', 'sle15'] %}}
|
||||
{{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0600") }}}
|
||||
- {{% else %}}
|
||||
- {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0640") }}}
|
||||
- {{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
If an unauthorized user obtains the private SSH host key file, the host could be
|
||||
@@ -45,10 +41,10 @@ references:
|
||||
stigid@sle12: SLES-12-030220
|
||||
stigid@sle15: SLES-15-040250
|
||||
|
||||
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'
|
||||
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}'
|
||||
|
||||
ocil: |-
|
||||
- {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}
|
||||
+ {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}
|
||||
|
||||
template:
|
||||
name: file_permissions
|
||||
@@ -56,9 +52,4 @@ template:
|
||||
filepath: /etc/ssh/
|
||||
missing_file_pass: 'true'
|
||||
file_regex: ^.*_key$
|
||||
- filemode: '0640'
|
||||
- filemode@sle12: '0600'
|
||||
- filemode@sle15: '0600'
|
||||
- filemode@ubuntu1604: '0600'
|
||||
- filemode@ubuntu1804: '0600'
|
||||
- filemode@ubuntu2004: '0600'
|
||||
+ filemode: '0600'
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
|
||||
index 5790a48..f7cf8d9 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
|
||||
@@ -2,4 +2,4 @@
|
||||
#
|
||||
|
||||
FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
|
||||
-chmod 0640 /etc/ssh/*_key
|
||||
+chmod 0600 /etc/ssh/*_key
|
||||
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
|
||||
index 6df9d61b715..7c0d6019702 100644
|
||||
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
|
||||
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
|
||||
@@ -4,4 +4,4 @@
|
||||
FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
|
||||
chmod 0777 $FAKE_KEY
|
||||
FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key)
|
||||
-chmod 0640 $FAKE_KEY2
|
||||
+chmod 0600 $FAKE_KEY2
|
@ -0,0 +1,195 @@
|
||||
From bac8ca5091aa74eab66691fcb7a6ac0c944de9c6 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Wed, 23 Mar 2022 17:50:18 +0100
|
||||
Subject: [PATCH] Manually edited patch
|
||||
scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch.
|
||||
|
||||
---
|
||||
.../chronyd_or_ntpd_set_maxpoll/ansible/shared.yml | 6 +++---
|
||||
.../ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh | 6 +++---
|
||||
.../chronyd_or_ntpd_set_maxpoll/oval/shared.xml | 4 ++--
|
||||
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 4 +++-
|
||||
.../tests/chrony.pass.sh | 3 +++
|
||||
.../tests/chrony_one_pool_configured.pass.sh | 14 ++++++++++++++
|
||||
.../tests/chrony_one_pool_misconfigured.fail.sh | 14 ++++++++++++++
|
||||
.../chrony_one_pool_missing_parameter.fail.sh | 14 ++++++++++++++
|
||||
.../tests/chrony_one_server_misconfigured.fail.sh | 3 +++
|
||||
9 files changed, 59 insertions(+), 9 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
|
||||
index 3c83850..da0a622 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_rhel
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = low
|
||||
@@ -27,7 +27,7 @@
|
||||
- name: Update the maxpoll values in /etc/chrony.conf
|
||||
lineinfile:
|
||||
path: /etc/chrony.conf
|
||||
- regex: '^(server.*maxpoll) [0-9]+(\s+.*)$'
|
||||
+ regex: '^((?:server|pool).*maxpoll) [0-9]+(\s+.*)$'
|
||||
line: '\1 {{ var_time_service_set_maxpoll }}\2'
|
||||
backrefs: yes
|
||||
when: chrony_conf_exist_result.stat.exists
|
||||
@@ -43,7 +43,7 @@
|
||||
- name: Set the maxpoll values in /etc/chrony.conf
|
||||
lineinfile:
|
||||
path: /etc/chrony.conf
|
||||
- regex: '(^server\s+((?!maxpoll).)*)$'
|
||||
+ regex: '(^(?:server|pool)\s+((?!maxpoll).)*)$'
|
||||
line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
|
||||
backrefs: yes
|
||||
when: chrony_conf_exist_result.stat.exists
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
|
||||
index b23deff..54b1b73 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
|
||||
@@ -8,9 +8,9 @@ config_file="/etc/ntp.conf"
|
||||
|
||||
|
||||
# Set maxpoll values to var_time_service_set_maxpoll
|
||||
-sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file"
|
||||
+sed -i "s/^\(\(server\|pool\).*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \3/" "$config_file"
|
||||
|
||||
-# Add maxpoll to server entries without maxpoll
|
||||
-grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do
|
||||
+# Add maxpoll to server or pool entries without maxpoll
|
||||
+grep "^\(server\|pool\)" "$config_file" | grep -v maxpoll | while read -r line ; do
|
||||
sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file"
|
||||
done
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
index 25a8589..76f8101 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
@@ -46,7 +46,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="obj_chrony_set_maxpoll" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^server[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
|
||||
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
@@ -77,7 +77,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="obj_chrony_all_server_has_maxpoll" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^server[\s]+[\S]+[\s]+(.*)</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^(?:server|pool)[\s]+[\S]+[\s]+(.*)</ind:pattern>
|
||||
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
index 77af724..bd5150b 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
@@ -9,8 +9,10 @@ description: |-
|
||||
{{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
|
||||
<tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure
|
||||
<tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
|
||||
- add the following:
|
||||
+ add the following after each `server` or `pool` entry:
|
||||
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
|
||||
+ to <pre>server</pre> directives. If using chrony any <pre>pool</pre> directives
|
||||
+ should be configured too.
|
||||
If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
|
||||
to pass.
|
||||
{{% if product == "rhcos4" %}}
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
|
||||
index 38f5031..60dfc29 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony.pass.sh
|
||||
@@ -5,6 +5,9 @@
|
||||
|
||||
yum remove -y ntp
|
||||
|
||||
+# Remove all pool options
|
||||
+sed -i "/^pool.*/d" /etc/chrony.conf
|
||||
+
|
||||
if ! grep "^server" /etc/chrony.conf ; then
|
||||
echo "server foo.example.net iburst maxpoll 10" >> /etc/chrony.conf
|
||||
elif ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..6cbeb0e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_configured.pass.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+#
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+
|
||||
+yum remove -y ntp
|
||||
+
|
||||
+# Remove all server or pool options
|
||||
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
|
||||
+
|
||||
+echo "pool pool.ntp.org iburst maxpoll 16" >> /etc/chrony.conf
|
||||
+
|
||||
+systemctl enable chronyd.service
|
||||
+
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..12f2cda
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_misconfigured.fail.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+#
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+
|
||||
+yum remove -y ntp
|
||||
+
|
||||
+# Remove all server or pool options
|
||||
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
|
||||
+
|
||||
+echo "pool pool.ntp.org iburst maxpoll 18" >> /etc/chrony.conf
|
||||
+
|
||||
+systemctl enable chronyd.service
|
||||
+
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..1ef4798
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_pool_missing_parameter.fail.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+#
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+
|
||||
+yum remove -y ntp
|
||||
+
|
||||
+# Remove all server options
|
||||
+sed -i "/^\(server\|pool\).*/d" /etc/chrony.conf
|
||||
+
|
||||
+echo "pool pool.ntp.org iburst" >> /etc/chrony.conf
|
||||
+
|
||||
+systemctl enable chronyd.service
|
||||
+
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
|
||||
index 0fc7840..6f86faf 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_one_server_misconfigured.fail.sh
|
||||
@@ -5,6 +5,9 @@
|
||||
|
||||
yum remove -y ntp
|
||||
|
||||
+# Remove all pool options
|
||||
+sed -i "/^pool.*/d" /etc/chrony.conf
|
||||
+
|
||||
if ! grep "^server.*maxpoll 10" /etc/chrony.conf; then
|
||||
sed -i "s/^server.*/& maxpoll 10/" /etc/chrony.conf
|
||||
fi
|
||||
--
|
||||
2.34.1
|
||||
|
2250
SOURCES/scap-security-guide-0.1.60-rhel8_stig_v1r4-PR_7930.patch
Normal file
2250
SOURCES/scap-security-guide-0.1.60-rhel8_stig_v1r4-PR_7930.patch
Normal file
File diff suppressed because one or more lines are too long
324
SOURCES/scap-security-guide-0.1.60-rhel9_stig_grub-PR_7931.patch
Normal file
324
SOURCES/scap-security-guide-0.1.60-rhel9_stig_grub-PR_7931.patch
Normal file
@ -0,0 +1,324 @@
|
||||
commit 2e1eeff365be8fde302620fae6691ccc523f6f9e
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu Feb 24 18:19:45 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.60-rhel9_stig_grub-PR_7931.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
|
||||
index c95f1d4..9035eee 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
|
||||
@@ -29,11 +29,34 @@
|
||||
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
-<ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
|
||||
- comment="check forkernel command line parameters random.trust_cpu=off in {{{ grub2_boot_path }}}/grubenv for all kernels"
|
||||
- check="all" check_existence="all_exist" version="1">
|
||||
- <ind:object object_ref="object_trust_cpu_rng_boot_param" />
|
||||
- <ind:state state_ref="state_trust_cpu_rng_boot_param_off" />
|
||||
+ {{% if product in ['rhel9'] %}}
|
||||
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
|
||||
+ comment="check kernel command line parameters for the argument for all boot entries."
|
||||
+ check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:object object_ref="obj_grub2_kernel_trust_cpu_rng_entries"/>
|
||||
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_off"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_on"
|
||||
+ comment="check kernel command line parameters for the argument for all boot entries."
|
||||
+ check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:object object_ref="obj_grub2_kernel_trust_cpu_rng_entries"/>
|
||||
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_on"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_grub2_kernel_trust_cpu_rng_entries" version="1">
|
||||
+ <ind:path>/boot/loader/entries/</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+ {{% else %}}
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
|
||||
+ comment="check for kernel command line parameters random.trust_cpu=off in {{{ grub2_boot_path }}}/grubenv for all kernels"
|
||||
+ check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:object object_ref="object_trust_cpu_rng_boot_param"/>
|
||||
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_off"/>
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
|
||||
@@ -50,6 +73,7 @@
|
||||
<ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
+ {{% endif %}}
|
||||
|
||||
<ind:textfilecontent54_state id="state_trust_cpu_rng_boot_param_on"
|
||||
version="1">
|
||||
@@ -61,5 +85,4 @@
|
||||
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?random\.trust_cpu=off(?:\s.*)?$</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
-
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
index dae640f..b8ff66c 100644
|
||||
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15
|
||||
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
|
||||
|
||||
title: 'Ensure IPv6 is disabled through kernel boot parameter'
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..fc649d7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 9
|
||||
+
|
||||
+# Removes ipv6.disable argument from kernel command line in //boot/loader/entries/*.conf
|
||||
+
|
||||
+for file in /boot/loader/entries/*.conf ; do
|
||||
+ if grep -q '^.*ipv6\.disable=.*' "$file" ; then
|
||||
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file"
|
||||
+ fi
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..3c1cde1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 9
|
||||
+
|
||||
+# Break the ipv6.disable argument in kernel command line in /boot/loader/entries/*.conf
|
||||
+
|
||||
+for file in /boot/loader/entries/*.conf ; do
|
||||
+ if grep -q '^.*ipv6\.disable=.*' "$file" ; then
|
||||
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
||||
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file"
|
||||
+ else
|
||||
+ # no ipv6.disable=arg is present, append it
|
||||
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts|options\).*\)/\1 ipv6\.disable=0/' "$file"
|
||||
+ fi
|
||||
+done
|
||||
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||
index b5f55ae..3eebbd9 100644
|
||||
--- a/shared/macros-bash.jinja
|
||||
+++ b/shared/macros-bash.jinja
|
||||
@@ -684,3 +684,43 @@ dpkg-query --show --showformat='${db:Status-Status}\n' "{{{ pkgname }}}" 2>/dev/
|
||||
rpm --quiet -q "{{{ pkgname }}}"
|
||||
{{%- endif -%}}
|
||||
{{%- endmacro -%}}
|
||||
+
|
||||
+{{#
|
||||
+
|
||||
+ Remediation for grub2 bootloader arguments
|
||||
+#}}
|
||||
+{{% macro grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) %}}
|
||||
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
||||
+{{% if '/' in ARG_NAME %}}
|
||||
+{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
+{{% elif '/' in ARG_NAME_VALUE %}}
|
||||
+{{{ raise("ARG_NAME_VALUE (" + ARG_NAME_VALUE + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
+{{% endif %}}
|
||||
+# Correct the form of default kernel command line in GRUB
|
||||
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"' '/etc/default/grub' ; then
|
||||
+ # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
|
||||
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/' '/etc/default/grub'
|
||||
+else
|
||||
+ # no {{{ ARG_NAME }}}=arg is present, append it
|
||||
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub'
|
||||
+fi
|
||||
+
|
||||
+{{% if 'ubuntu' in product %}}
|
||||
+update-grub
|
||||
+{{% else %}}
|
||||
+# Correct the form of kernel command line for each installed kernel in the bootloader
|
||||
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
||||
+{{% endif %}}
|
||||
+{{% else %}}
|
||||
+# Correct grub2 kernelopts value using grub2-editenv
|
||||
+existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
|
||||
+if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
|
||||
+ if test -n "$existing_kernelopts"; then
|
||||
+ grub2-editenv - set "$existing_kernelopts {{{ ARG_NAME_VALUE }}}"
|
||||
+ else
|
||||
+ grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
|
||||
+ fi
|
||||
+fi
|
||||
+{{% endif %}}
|
||||
+
|
||||
+{{% endmacro %}}
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
index cecd1f9..fd75db4 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/bash.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
@@ -1,6 +1,6 @@
|
||||
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
||||
|
||||
-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
||||
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
||||
{{% if '/' in ARG_NAME %}}
|
||||
{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
{{% elif '/' in ARG_NAME_VALUE %}}
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
index e8da1fe..3ea8acb 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/oval.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/oval.template
|
||||
@@ -2,9 +2,14 @@
|
||||
<definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
|
||||
{{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
|
||||
<criteria operator="AND">
|
||||
- {{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
||||
- <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
||||
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
|
||||
+ {{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
||||
+ {{% if product in ['rhel9'] %}}
|
||||
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
|
||||
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
|
||||
+ {{% else %}}
|
||||
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
||||
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
|
||||
+ {{% endif %}}
|
||||
<criteria operator="OR">
|
||||
<criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
|
||||
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
|
||||
@@ -22,7 +27,7 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
||||
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
||||
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
|
||||
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
|
||||
check="all" check_existence="all_exist" version="1">
|
||||
@@ -50,6 +55,21 @@
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ {{% if product in ["rhel9"] %}}
|
||||
+ <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
|
||||
+ comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} for all boot entries."
|
||||
+ check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:object object_ref="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries" />
|
||||
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries" version="1">
|
||||
+ <ind:path>/boot/loader/entries/</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+ {{% else %}}
|
||||
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
||||
comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
|
||||
check="all" check_existence="all_exist" version="1">
|
||||
@@ -68,6 +88,8 @@
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ {{% endif %}}
|
||||
+
|
||||
{{% else %}}
|
||||
|
||||
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/template.py b/shared/templates/grub2_bootloader_argument/template.py
|
||||
index 7c32daa..60951cf 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/template.py
|
||||
+++ b/shared/templates/grub2_bootloader_argument/template.py
|
||||
@@ -6,6 +6,7 @@ def preprocess(data, lang):
|
||||
if lang == "oval":
|
||||
# escape dot, this is used in oval regex
|
||||
data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
|
||||
+ data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.")
|
||||
# replace . with _, this is used in test / object / state ids
|
||||
data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
|
||||
return data
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..fdf2a5d
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+# Removes audit argument from kernel command line in /boot/grub2/grubenv
|
||||
+file="/boot/grub2/grubenv"
|
||||
+if grep -q '^.*{{{ARG_NAME}}}=.*' "$file" ; then
|
||||
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 \2/' "$file"
|
||||
+fi
|
||||
+
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..a56e6d0
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
|
||||
+
|
||||
+# Removes argument from kernel command line in /etc/default/grub
|
||||
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"' '/etc/default/grub' ; then
|
||||
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ARG_NAME}}}=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
|
||||
+fi
|
||||
+
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh b/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..b6454a9
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..5a97ec2
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8
|
||||
+
|
||||
+# Break the argument in kernel command line in /boot/grub2/grubenv
|
||||
+file="/boot/grub2/grubenv"
|
||||
+if grep -q '^.*{{{ARG_NAME}}}=.*' "$file" ; then
|
||||
+ # modify the GRUB command-line if the arg already exists
|
||||
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME}}}=wrong \2/' "$file"
|
||||
+else
|
||||
+ # no arg is present, append it
|
||||
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME}}}=wrong/' "$file"
|
||||
+fi
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..09861aa
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 9
|
||||
+
|
||||
+# Removes argument from kernel command line in /boot/loader/entries/*.conf
|
||||
+
|
||||
+for file in /boot/loader/entries/*.conf ; do
|
||||
+ if grep -q '^.*{{{ ESCAPED_ARG_NAME }}}=.*' "$file" ; then
|
||||
+ # modify the GRUB command-line if an audit= arg already exists
|
||||
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME}}}=wrong \2/' "$file"
|
||||
+ else
|
||||
+ # no audit=arg is present, append it
|
||||
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME}}}=wrong/' "$file"
|
||||
+ fi
|
||||
+done
|
@ -0,0 +1,84 @@
|
||||
commit c68d33e672264e1b4f2c664004d258ddfc198856
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu Feb 24 18:15:07 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.60-sysctl_d_directories-PR_7999.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..48a2665
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
|
||||
@@ -0,0 +1,23 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/sysctl.sh
|
||||
+
|
||||
+setting_name="kernel.randomize_va_space"
|
||||
+setting_value="2"
|
||||
+# sysctl -w "$setting_name=$setting_value"
|
||||
+if grep -q "^$setting_name" /usr/lib/sysctl.d/50-sysctl.conf; then
|
||||
+ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /usr/lib/sysctl.d/50-sysctl.conf
|
||||
+else
|
||||
+ echo "$setting_name = $setting_value" >> /usr/lib/sysctl.d/50-sysctl.conf
|
||||
+fi
|
||||
+
|
||||
+setting_name="kernel.randomize_va_space"
|
||||
+setting_value="0"
|
||||
+# sysctl -w "$setting_name=$setting_value"
|
||||
+if grep -q "^$setting_name" /etc/sysctl.d/99-sysctl.conf; then
|
||||
+ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/99-sysctl.conf
|
||||
+else
|
||||
+ echo "$setting_name = $setting_value" >> /etc/sysctl.d/99-sysctl.conf
|
||||
+fi
|
||||
+
|
||||
+sysctl --system
|
||||
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
|
||||
index e4ccd84..3837b31 100644
|
||||
--- a/shared/templates/sysctl/ansible.template
|
||||
+++ b/shared/templates/sysctl/ansible.template
|
||||
@@ -3,6 +3,21 @@
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = medium
|
||||
+
|
||||
+- name: List /etc/sysctl.d/*.conf files
|
||||
+ find:
|
||||
+ paths: "/etc/sysctl.d/"
|
||||
+ contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
|
||||
+ patterns: "*.conf"
|
||||
+ register: find_sysctl_d
|
||||
+
|
||||
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
||||
+ replace:
|
||||
+ path: "{{ item }}"
|
||||
+ regexp: '^[\s]*{{{ SYSCTLVAR }}}'
|
||||
+ replace: '#{{{ SYSCTLVAR }}}'
|
||||
+ loop: "{{ find_sysctl_d.files }}"
|
||||
+
|
||||
{{%- if SYSCTLVAL == "" %}}
|
||||
- (xccdf-var sysctl_{{{ SYSCTLID }}}_value)
|
||||
|
||||
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
|
||||
index a762794..5ec56fd 100644
|
||||
--- a/shared/templates/sysctl/bash.template
|
||||
+++ b/shared/templates/sysctl/bash.template
|
||||
@@ -4,6 +4,18 @@
|
||||
# complexity = low
|
||||
# disruption = medium
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
||||
+for f in /etc/sysctl.d/*.conf ; do
|
||||
+ matching_list=$(grep -P '^(?!#).*[\s]+{{{ SYSCTLVAR }}}.*$' $f | uniq )
|
||||
+ if ! test -z "$matching_list"; then
|
||||
+ while IFS= read -r entry; do
|
||||
+ # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data
|
||||
+ sed -i "s/^${entry}$/# &/g" $f
|
||||
+ done <<< "$matching_list"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
{{%- if SYSCTLVAL == "" %}}
|
||||
{{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}
|
||||
|
@ -0,0 +1,155 @@
|
||||
commit 3c9a97de3a91b2a8fd85f13bb902e2529dd6fa67
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri Feb 25 13:51:41 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_010331-PR_8055.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
|
||||
index 8a28af0..02c69bd 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_all
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = high
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
index a0f5aeb..853f8ac 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
@@ -31,6 +31,8 @@ rationale: |-
|
||||
of initiating changes, including upgrades and modifications.
|
||||
|
||||
identifiers:
|
||||
+ cce@rhel8: CCE-88692-9
|
||||
+ cce@rhel9: CCE-88693-7
|
||||
cce@sle12: CCE-83234-5
|
||||
cce@sle15: CCE-85753-2
|
||||
|
||||
@@ -40,6 +42,8 @@ references:
|
||||
disa: CCI-001499
|
||||
nerc-cip: CIP-003-3 R6
|
||||
nist: CM-5,CM-5(6),CM-5(6).1
|
||||
+ srg: SRG-OS-000259-GPOS-00100
|
||||
+ stigid@rhel8: RHEL-08-010331
|
||||
stigid@sle12: SLES-12-010872
|
||||
stigid@sle15: SLES-15-010352
|
||||
stigid@ubuntu2004: UBTU-20-010427
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
index af07846..6e957c3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
index d58616b..55ff9ce 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
chmod -R 755 "$dirPath"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
index 98d18cd..c2b5b6b 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
|
||||
DIRS="/lib /lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
index 6df6e2f..40e6c42 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_rhel
|
||||
DIRS="/usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index adeae4a..fab5f3f 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -77,6 +77,7 @@ selections:
|
||||
- accounts_password_pam_difok
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- file_owner_etc_shadow
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 5d03125..d51e53a 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -224,6 +224,9 @@ selections:
|
||||
# RHEL-08-010330
|
||||
- file_permissions_library_dirs
|
||||
|
||||
+ # RHEL-08-010331
|
||||
+ - dir_permissions_library_dirs
|
||||
+
|
||||
# RHEL-08-010340
|
||||
- file_ownership_library_dirs
|
||||
|
||||
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
||||
index 9acb63a..b751a74 100644
|
||||
--- a/products/rhel9/profiles/stig.profile
|
||||
+++ b/products/rhel9/profiles/stig.profile
|
||||
@@ -195,6 +195,9 @@ selections:
|
||||
# RHEL-08-010330
|
||||
- file_permissions_library_dirs
|
||||
|
||||
+ # RHEL-08-010331
|
||||
+ - dir_permissions_library_dirs
|
||||
+
|
||||
# RHEL-08-010340
|
||||
- file_ownership_library_dirs
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 1b83798..fef5fd8 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -2758,8 +2758,6 @@ CCE-88688-7
|
||||
CCE-88689-5
|
||||
CCE-88690-3
|
||||
CCE-88691-1
|
||||
-CCE-88692-9
|
||||
-CCE-88693-7
|
||||
CCE-88694-5
|
||||
CCE-88695-2
|
||||
CCE-88696-0
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index e4f9dd8..3b4b43a 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -175,6 +175,7 @@ selections:
|
||||
- dconf_gnome_screensaver_idle_delay
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dir_group_ownership_library_dirs
|
||||
+- dir_permissions_library_dirs
|
||||
- dir_perms_world_writable_root_owned
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
- directory_group_ownership_var_log_audit
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index d37d2ec..2e0e161 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -186,6 +186,7 @@ selections:
|
||||
- dconf_gnome_screensaver_idle_delay
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dir_group_ownership_library_dirs
|
||||
+- dir_permissions_library_dirs
|
||||
- dir_perms_world_writable_root_owned
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
- directory_group_ownership_var_log_audit
|
@ -0,0 +1,46 @@
|
||||
commit ae056f1639768deba6f51427419eb73f2e6e7626
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri Feb 25 14:20:55 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_010359-PR_8131.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
index 51adb67..ed2734c 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
||||
@@ -27,7 +27,7 @@ references:
|
||||
cis@ubuntu2004: 1.4.1
|
||||
cjis: 5.10.1.3
|
||||
cobit5: APO01.06,BAI01.06,BAI02.01,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS04.07,DSS05.02,DSS05.03,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
||||
- disa: CCI-002699,CCI-001744
|
||||
+ disa: CCI-002696,CCI-002699,CCI-001744
|
||||
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
|
||||
isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 4.1,SR 6.2,SR 7.6'
|
||||
ism: 1034,1288,1341,1417
|
||||
@@ -35,8 +35,8 @@ references:
|
||||
nist: CM-6(a)
|
||||
nist-csf: DE.CM-1,DE.CM-7,PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1,PR.IP-3
|
||||
pcidss: Req-11.5
|
||||
- srg: SRG-OS-000363-GPOS-00150
|
||||
- stigid@rhel8: RHEL-08-010360
|
||||
+ srg: SRG-OS-000363-GPOS-00150,SRG-OS-000445-GPOS-00199
|
||||
+ stigid@rhel8: RHEL-08-010359
|
||||
stigid@sle12: SLES-12-010500
|
||||
stigid@sle15: SLES-15-010420
|
||||
stigid@ubuntu2004: UBTU-20-010450
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 705caa8..d6f0793 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -237,8 +237,10 @@ selections:
|
||||
- root_permissions_syslibrary_files
|
||||
- dir_group_ownership_library_dirs
|
||||
|
||||
- # RHEL-08-010360
|
||||
+ # RHEL-08-010359
|
||||
- package_aide_installed
|
||||
+
|
||||
+ # RHEL-08-010360
|
||||
- aide_scan_notification
|
||||
|
||||
# RHEL-08-010370
|
@ -0,0 +1,326 @@
|
||||
commit 804ab7d7e48d3d6a93aab8c99a1b71410553983b
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon Feb 28 11:44:13 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000..0d8c9e7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
|
||||
@@ -0,0 +1,21 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = configure
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
|
||||
+{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
|
||||
+- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
|
||||
+ find:
|
||||
+ path: "/etc/sudoers.d"
|
||||
+ patterns: "*"
|
||||
+ contains: '^#include(dir)?\s.*$'
|
||||
+ register: sudoers_d_includes
|
||||
+
|
||||
+- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"
|
||||
+ lineinfile:
|
||||
+ path: "{{ item.path }}"
|
||||
+ regexp: '^#include(dir)?\s.*$'
|
||||
+ state: absent
|
||||
+ with_items: "{{ sudoers_d_includes.files }}"
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..fbff5eb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
|
||||
@@ -0,0 +1,21 @@
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sudoers_config_file="/etc/sudoers"
|
||||
+sudoers_config_dir="/etc/sudoers.d"
|
||||
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
|
||||
+if [ "$sudoers_includedir_count" -gt 1 ]; then
|
||||
+ sed -i "/#includedir.*/d" "$sudoers_config_file"
|
||||
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
|
||||
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
|
||||
+else
|
||||
+ if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
|
||||
+ sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
|
||||
+ fi
|
||||
+fi
|
||||
+
|
||||
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
|
||||
+
|
||||
+if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
|
||||
+ sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..59cab0b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -0,0 +1,46 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">
|
||||
+ <ind:object object_ref="object_sudoers_default_includedir" />
|
||||
+ <ind:state state_ref="state_sudoers_default_includedir" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">
|
||||
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+ <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">
|
||||
+ <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">
|
||||
+ <ind:object object_ref="object_sudoers_without_include" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">
|
||||
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
|
||||
+ <ind:object object_ref="object_sudoersd_without_includes" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">
|
||||
+ <ind:path>/etc/sudoers.d/</ind:path>
|
||||
+ <ind:filename operation="pattern match">.*</ind:filename>
|
||||
+ <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..a97bd3e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
@@ -0,0 +1,40 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,rhel7,rhel8,rhel9
|
||||
+
|
||||
+title: 'Ensure sudo only includes the default configuration directory'
|
||||
+
|
||||
+description: |-
|
||||
+ Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
|
||||
+ other directories and configuration files from the file currently being parsed.
|
||||
+
|
||||
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
|
||||
+ The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
|
||||
+ Note that the '#' character doesn't denote a comment in the configuration file.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.
|
||||
+ Use of these configuration options makes it easier for one compromised accound to be used to
|
||||
+ compromise other accounts.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-86277-1
|
||||
+ cce@rhel8: CCE-86377-9
|
||||
+ cce@rhel9: CCE-86477-7
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000366
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ stigid@rhel8: RHEL-08-010379
|
||||
+
|
||||
+ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
|
||||
+ run the following command:
|
||||
+ <pre>$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d</pre>
|
||||
+ If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.
|
||||
+ Any other line returned is a finding.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..ac0c808
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Ensure default config is there
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..5bad822
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# duplicate default entry
|
||||
+if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..1e0ab8a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -i "/#includedir.*/d" /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..3f14ecc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+mkdir -p /etc/sudoers.d
|
||||
+# Ensure default config is there
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
+
|
||||
+echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..8951507
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+mkdir -p /etc/sudoers.d
|
||||
+# Ensure default config is there
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
+
|
||||
+echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..ad04880
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Ensure default config is there
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
+
|
||||
+if ! grep -q "#include " /etc/sudoers; then
|
||||
+ echo "#include /etc/my-sudoers" >> /etc/sudoers
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..09d14ea
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+# Ensure that there are two different indludedirs
|
||||
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
|
||||
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
|
||||
+fi
|
||||
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..55a072a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+sed -i "/#includedir.*/d" /etc/sudoers
|
||||
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index bfb3753..f5fed4a 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -271,6 +271,9 @@ selections:
|
||||
# RHEL-08-010376
|
||||
- sysctl_kernel_perf_event_paranoid
|
||||
|
||||
+ # RHEL-08-010379
|
||||
+ - sudoers_default_includedir
|
||||
+
|
||||
# RHEL-08-010380
|
||||
- sudo_remove_nopasswd
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index ec92589..99bccc7 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -478,7 +478,6 @@ CCE-86373-8
|
||||
CCE-86374-6
|
||||
CCE-86375-3
|
||||
CCE-86376-1
|
||||
-CCE-86377-9
|
||||
CCE-86378-7
|
||||
CCE-86379-5
|
||||
CCE-86380-3
|
||||
@@ -576,7 +575,6 @@ CCE-86473-6
|
||||
CCE-86474-4
|
||||
CCE-86475-1
|
||||
CCE-86476-9
|
||||
-CCE-86477-7
|
||||
CCE-86478-5
|
||||
CCE-86479-3
|
||||
CCE-86480-1
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 2411f02..2dbc2e4 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -360,6 +360,7 @@ selections:
|
||||
- sudo_remove_nopasswd
|
||||
- sudo_require_reauthentication
|
||||
- sudo_restrict_privilege_elevation_to_authorized
|
||||
+- sudoers_default_includedir
|
||||
- sudoers_validate_passwd
|
||||
- sysctl_crypto_fips_enabled
|
||||
- sysctl_fs_protected_hardlinks
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index f0a9601..cd76884 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -371,6 +371,7 @@ selections:
|
||||
- sudo_remove_nopasswd
|
||||
- sudo_require_reauthentication
|
||||
- sudo_restrict_privilege_elevation_to_authorized
|
||||
+- sudoers_default_includedir
|
||||
- sudoers_validate_passwd
|
||||
- sysctl_crypto_fips_enabled
|
||||
- sysctl_fs_protected_hardlinks
|
@ -0,0 +1,19 @@
|
||||
commit b7f5c68f8172e88aed6ce22fb70dc48ef3148ffa
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Fri Feb 25 18:23:41 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_020221-PR_8173.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
index 62b6f55..523ab62 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
@@ -41,7 +41,7 @@ references:
|
||||
srg: SRG-OS-000077-GPOS-00045
|
||||
stigid@ol7: OL07-00-010270
|
||||
stigid@rhel7: RHEL-07-010270
|
||||
- stigid@rhel8: RHEL-08-020220
|
||||
+ stigid@rhel8: RHEL-08-020221
|
||||
vmmsrg: SRG-OS-000077-VMM-000440
|
||||
|
||||
ocil_clause: |-
|
@ -0,0 +1,63 @@
|
||||
From f284885e417d86c408c9f94db02b4b7066d316be Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 7 Feb 2022 11:34:16 +0100
|
||||
Subject: [PATCH] Add RHEL-08-040321 to RHEL8 STIG profile
|
||||
|
||||
The STIG doesn't recommend the systems to target the graphical
|
||||
environment by default.
|
||||
---
|
||||
.../disabling_xwindows/xwindows_runlevel_target/rule.yml | 1 +
|
||||
products/rhel8/profiles/stig.profile | 3 +++
|
||||
products/rhel8/profiles/stig_gui.profile | 3 +++
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 +
|
||||
4 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||||
index de0e359a44e..df56a30be80 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
||||
@@ -39,6 +39,7 @@ references:
|
||||
nist: CM-7(a),CM-7(b),CM-6(a)
|
||||
nist-csf: PR.AC-3,PR.PT-4
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
+ stigid@rhel8: RHEL-08-040321
|
||||
|
||||
ocil_clause: 'the X windows display server is running and/or has not been disabled'
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 09fa85df181..ffca983d0bd 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -1169,6 +1169,9 @@ selections:
|
||||
# RHEL-08-040320
|
||||
- xwindows_remove_packages
|
||||
|
||||
+ # RHEL-08-040321
|
||||
+ - xwindows_runlevel_target
|
||||
+
|
||||
# RHEL-08-040330
|
||||
- network_sniffer_disabled
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
|
||||
index d1577215b07..d29ceb9c54e 100644
|
||||
--- a/products/rhel8/profiles/stig_gui.profile
|
||||
+++ b/products/rhel8/profiles/stig_gui.profile
|
||||
@@ -35,3 +35,6 @@ extends: stig
|
||||
selections:
|
||||
# RHEL-08-040320
|
||||
- '!xwindows_remove_packages'
|
||||
+
|
||||
+ # RHEL-08-040321
|
||||
+ - '!xwindows_runlevel_target'
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 9c05c27117c..e4fee44f9f9 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -398,6 +398,7 @@ selections:
|
||||
- usbguard_generate_policy
|
||||
- wireless_disable_interfaces
|
||||
- xwindows_remove_packages
|
||||
+- xwindows_runlevel_target
|
||||
- var_rekey_limit_size=1G
|
||||
- var_rekey_limit_time=1hour
|
||||
- var_accounts_user_umask=077
|
492
SOURCES/scap-security-guide-0.1.61-file_groupowner-PR_7791.patch
Normal file
492
SOURCES/scap-security-guide-0.1.61-file_groupowner-PR_7791.patch
Normal file
@ -0,0 +1,492 @@
|
||||
commit 3cd2b8efbf9d91967e3e65bd2029f7ab3d400314
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu Feb 24 18:22:28 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-file_groupowner-PR_7791.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..de85c89
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml
|
||||
@@ -0,0 +1,38 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Audit Configuration Files Must Be Owned By Group root'
|
||||
+
|
||||
+description: |-
|
||||
+ All audit configuration files must be owned by group root.
|
||||
+ <pre>chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*</pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ Without the capability to restrict which roles and individuals can
|
||||
+ select which events are audited, unauthorized personnel may be able
|
||||
+ to prevent the auditing of critical events.
|
||||
+ Misconfigured audits may degrade the system's performance by
|
||||
+ overwhelming the audit log. Misconfigured audits may also make it more
|
||||
+ difficult to establish, correlate, and investigate the events relating
|
||||
+ to an incident or identify those responsible for one.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000171
|
||||
+ srg: SRG-OS-000063-GPOS-00032
|
||||
+ stigid@ubuntu2004: UBTU-20-010135
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ describe_file_group_owner(file="/etc/audit/", group="root") }}}
|
||||
+ {{{ describe_file_group_owner(file="/etc/audit/rules.d/", group="root") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /etc/audit/
|
||||
+ - /etc/audit/rules.d/
|
||||
+ file_regex:
|
||||
+ - ^audit(\.rules|d\.conf)$
|
||||
+ - ^.*\.rules$
|
||||
+ filegid: '0'
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..5235e0d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/correct_groupowner.pass.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+export TESTFILE=/etc/audit/rules.d/test_rule.rules
|
||||
+export AUDITFILE=/etc/audit/auditd.conf
|
||||
+mkdir -p /etc/audit/rules.d/
|
||||
+touch $TESTFILE
|
||||
+touch $AUDITFILE
|
||||
+chgrp root $TESTFILE
|
||||
+chgrp root $AUDITFILE
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..52378d8
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_groupownership_audit_configuration/tests/incorrect_groupowner.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+groupadd group_test
|
||||
+export TESTFILLE=/etc/audit/rules.d/test_rule.rules
|
||||
+export AUDITFILE=/etc/audit/auditd.conf
|
||||
+mkdir -p /etc/audit/rules.d/
|
||||
+touch $TESTFILLE
|
||||
+touch $AUDITFILE
|
||||
+chgrp group_test $TESTFILLE
|
||||
+chgrp group_test $AUDITFILE
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||||
index 5ddaf9f..b99705d 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log/rule.yml
|
||||
@@ -1,8 +1,15 @@
|
||||
+{{% if 'ubuntu' in product %}}
|
||||
+{{% set gid = 'syslog' %}}
|
||||
+{{% else %}}
|
||||
+{{% set gid = 'root' %}}
|
||||
+{{% endif %}}
|
||||
+
|
||||
+
|
||||
documentation_complete: true
|
||||
|
||||
title: 'Verify Group Who Owns /var/log Directory'
|
||||
|
||||
-description: '{{{ describe_file_group_owner(file="/var/log", group="root") }}}'
|
||||
+description: '{{{ describe_file_group_owner(file="/var/log", group=gid) }}}'
|
||||
|
||||
rationale: |-
|
||||
The <tt>/var/log</tt> directory contains files with logs of error
|
||||
@@ -21,13 +28,16 @@ references:
|
||||
stigid@rhel8: RHEL-08-010260
|
||||
stigid@ubuntu2004: UBTU-20-010417
|
||||
|
||||
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group="root") }}}'
|
||||
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log", group=gid) }}}'
|
||||
|
||||
ocil: |-
|
||||
- {{{ ocil_file_group_owner(file="/var/log", group="root") }}}
|
||||
+ {{{ ocil_file_group_owner(file="/var/log", group=gid) }}}
|
||||
|
||||
template:
|
||||
name: file_groupowner
|
||||
vars:
|
||||
filepath: /var/log/
|
||||
filegid: '0'
|
||||
+ filegid@ubuntu1604: '110'
|
||||
+ filegid@ubuntu1804: '110'
|
||||
+ filegid@ubuntu2004: '110'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..f654279
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_syslog/rule.yml
|
||||
@@ -0,0 +1,27 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify Group Who Owns /var/log/syslog File'
|
||||
+
|
||||
+description: '{{{ describe_file_group_owner(file="/var/log/syslog", group="adm") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
||||
+ the system and should only be accessed by authorized personnel.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001314
|
||||
+ srg: SRG-OS-000206-GPOS-00084
|
||||
+ stigid@ubuntu2004: UBTU-20-010420
|
||||
+
|
||||
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/syslog", group="adm") }}}'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_file_group_owner(file="/var/log/syslog", group="adm") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath: /var/log/syslog
|
||||
+ filegid: '4'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..655b2cd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_groupownership_binary_dirs/rule.yml
|
||||
@@ -0,0 +1,65 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ubuntu2004
|
||||
+
|
||||
+title: 'Verify that system commands directories are group owned by root'
|
||||
+
|
||||
+description: |-
|
||||
+ System commands files are stored in the following directories by default:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin
|
||||
+ </pre>
|
||||
+ All these directories should be owned by the <tt>root</tt> group.
|
||||
+ If the directory is found to be owned by a group other than root correct
|
||||
+ its ownership with the following command:
|
||||
+ <pre>$ sudo chgrp root <i>DIR</i></pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ If the operating system allows any user to make changes to software
|
||||
+ libraries, then those changes might be implemented without undergoing the
|
||||
+ appropriate testing and approvals that are part of a robust change management
|
||||
+ process.
|
||||
+ This requirement applies to operating systems with software libraries
|
||||
+ that are accessible and configurable, as in the case of interpreted languages.
|
||||
+ Software libraries also include privileged programs which execute with
|
||||
+ escalated privileges. Only qualified and authorized individuals must be
|
||||
+ allowed to obtain access to information system components for purposes
|
||||
+ of initiating changes, including upgrades and modifications.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001495
|
||||
+ srg: SRG-OS-000258-GPOS-00099
|
||||
+ stigid@ubuntu2004: UBTU-20-010425
|
||||
+
|
||||
+ocil_clause: 'any of these directories are not owned by root group'
|
||||
+
|
||||
+ocil: |-
|
||||
+ System commands are stored in the following directories:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin</pre>
|
||||
+ For each of these directories, run the following command to find files not
|
||||
+ owned by root group:
|
||||
+ <pre>$ sudo find -L <i>$DIR</i> ! -group root -type d \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /bin/
|
||||
+ - /sbin/
|
||||
+ - /usr/bin/
|
||||
+ - /usr/sbin/
|
||||
+ - /usr/local/bin/
|
||||
+ - /usr/local/sbin/
|
||||
+ recursive: 'true'
|
||||
+ filegid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
|
||||
deleted file mode 100644
|
||||
index 28df783..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/ansible/shared.yml
|
||||
+++ /dev/null
|
||||
@@ -1,23 +0,0 @@
|
||||
-# platform = multi_platform_sle
|
||||
-# reboot = false
|
||||
-# strategy = restrict
|
||||
-# complexity = medium
|
||||
-# disruption = medium
|
||||
-- name: "Read list libraries without root ownership"
|
||||
- find:
|
||||
- paths:
|
||||
- - "/usr/lib"
|
||||
- - "/usr/lib64"
|
||||
- - "/lib"
|
||||
- - "/lib64"
|
||||
- file_type: "directory"
|
||||
- register: library_dirs_not_owned_by_root
|
||||
-
|
||||
-- name: "Set ownership of system library dirs to root"
|
||||
- file:
|
||||
- path: "{{ item.path }}"
|
||||
- owner: "root"
|
||||
- state: "directory"
|
||||
- mode: "{{ item.mode }}"
|
||||
- with_items: "{{ library_dirs_not_owned_by_root.files }}"
|
||||
- when: library_dirs_not_owned_by_root.matched > 0
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..f61a5f9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_audit_binaries/rule.yml
|
||||
@@ -0,0 +1,77 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ubuntu2004
|
||||
+
|
||||
+title: 'Verify that audit tools are owned by group root'
|
||||
+
|
||||
+description: |-
|
||||
+ The {{{ full_name }}} operating system audit tools must have the proper
|
||||
+ ownership configured to protected against unauthorized access.
|
||||
+
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl root
|
||||
+ /sbin/aureport root
|
||||
+ /sbin/ausearch root
|
||||
+ /sbin/autrace root
|
||||
+ /sbin/auditd root
|
||||
+ /sbin/audispd root
|
||||
+ /sbin/augenrules root
|
||||
+ </pre>
|
||||
+
|
||||
+ Audit tools needed to successfully view and manipulate audit information
|
||||
+ system activity and records. Audit tools include custom queries and report
|
||||
+ generators
|
||||
+
|
||||
+rationale: |-
|
||||
+ Protecting audit information also includes identifying and protecting the
|
||||
+ tools used to view and manipulate log data. Therefore, protecting audit
|
||||
+ tools is necessary to prevent unauthorized operation on audit information.
|
||||
+
|
||||
+ Operating systems providing tools to interface with audit information
|
||||
+ will leverage user permissions and roles identifying the user accessing the
|
||||
+ tools and the corresponding rights the user enjoys to make access decisions
|
||||
+ regarding the access to audit tools.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001493,CCI-001494
|
||||
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
|
||||
+ stigid@ubuntu2004: UBTU-20-010201
|
||||
+
|
||||
+ocil: |-
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl root
|
||||
+ /sbin/aureport root
|
||||
+ /sbin/ausearch root
|
||||
+ /sbin/autrace root
|
||||
+ /sbin/auditd root
|
||||
+ /sbin/audispd root
|
||||
+ /sbin/augenrules root
|
||||
+ </pre>
|
||||
+
|
||||
+ If the command does not return all the above lines, the missing ones
|
||||
+ need to be added.
|
||||
+
|
||||
+ Run the following command to correct the permissions of the missing
|
||||
+ entries:
|
||||
+ <pre>$ sudo chown :root [audit_tool] </pre>
|
||||
+
|
||||
+ Replace "[audit_tool]" with each audit tool not group-owned by root.
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /sbin/auditctl
|
||||
+ - /sbin/aureport
|
||||
+ - /sbin/ausearch
|
||||
+ - /sbin/autrace
|
||||
+ - /sbin/auditd
|
||||
+ - /sbin/audispd
|
||||
+ - /sbin/augenrules
|
||||
+ filegid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
index 5598e47..a9e8c7d 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
|
||||
do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
||||
index 7cf507c..33a0c85 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh
|
||||
@@ -1,10 +1,12 @@
|
||||
#!/bin/bash
|
||||
|
||||
+groupadd group_test
|
||||
+
|
||||
for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
|
||||
do
|
||||
if [[ ! -f $TESTFILE ]]
|
||||
then
|
||||
touch $TESTFILE
|
||||
fi
|
||||
- chown nobody.nobody $TESTFILE
|
||||
+ chgrp group_test $TESTFILE
|
||||
done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index f5ca938..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,27 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
|
||||
- are owned by root.
|
||||
- ") }}}
|
||||
- <criteria >
|
||||
- <criterion test_ref="test_root_permissions_for_syslibrary_files" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
|
||||
- <unix:object object_ref="root_permissions_for_system_wide_library_files" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
|
||||
- <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
|
||||
- are owned by root. -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
|
||||
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
- <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
|
||||
- <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
||||
- </unix:file_state>
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
index 83371b8..3b983de 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: sle12,sle15,rhel8,fedora
|
||||
+prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
|
||||
|
||||
title: |-
|
||||
Verify the system-wide library files in directories
|
||||
@@ -44,6 +44,7 @@ references:
|
||||
stigid@rhel8: RHEL-08-010350
|
||||
stigid@sle12: SLES-12-010875
|
||||
stigid@sle15: SLES-15-010355
|
||||
+ stigid@ubuntu2004: UBTU-20-01430
|
||||
|
||||
ocil_clause: 'system wide library files are not group owned by root'
|
||||
|
||||
@@ -57,3 +58,14 @@ ocil: |-
|
||||
To find if system-wide library files stored in these directories are not group-owned by
|
||||
root run the following command for each directory <i>DIR</i>:
|
||||
<pre>$ sudo find -L <i>DIR</i> ! -group root -type f </pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_groupowner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ file_regex: ^.*$
|
||||
+ filegid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
||||
index a4ae285..0e982c3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
||||
do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..a4ae285
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+
|
||||
+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
||||
+do
|
||||
+ if [[ -d $SYSLIBDIRS ]]
|
||||
+ then
|
||||
+ find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
|
||||
+ fi
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
||||
index c96f65b..23a7703 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
||||
@@ -1,10 +1,11 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
+groupadd group_test
|
||||
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
||||
do
|
||||
if [[ ! -f $TESTFILE ]]
|
||||
then
|
||||
touch $TESTFILE
|
||||
fi
|
||||
- chown nobody.nobody $TESTFILE
|
||||
+ chgrp group_test $TESTFILE
|
||||
done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..c96f65b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+
|
||||
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
||||
+do
|
||||
+ if [[ ! -f $TESTFILE ]]
|
||||
+ then
|
||||
+ touch $TESTFILE
|
||||
+ fi
|
||||
+ chown nobody.nobody $TESTFILE
|
||||
+done
|
278
SOURCES/scap-security-guide-0.1.61-file_owner-PR_7789.patch
Normal file
278
SOURCES/scap-security-guide-0.1.61-file_owner-PR_7789.patch
Normal file
@ -0,0 +1,278 @@
|
||||
commit 74bab352f4bb5b52beaf70c6f23f60d4af4f9518
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu Feb 24 18:42:09 2022 +0100
|
||||
|
||||
Manual edited scap-security-guide-0.1.61-file_owner-PR_7789.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..968ef33
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml
|
||||
@@ -0,0 +1,39 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Audit Configuration Files Must Be Owned By Root'
|
||||
+
|
||||
+description: |-
|
||||
+ All audit configuration files must be owned by root user.
|
||||
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
|
||||
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ Without the capability to restrict which roles and individuals can
|
||||
+ select which events are audited, unauthorized personnel may be able
|
||||
+ to prevent the auditing of critical events.
|
||||
+ Misconfigured audits may degrade the system's performance by
|
||||
+ overwhelming the audit log. Misconfigured audits may also make it more
|
||||
+ difficult to establish, correlate, and investigate the events relating
|
||||
+ to an incident or identify those responsible for one.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000171
|
||||
+ srg: SRG-OS-000063-GPOS-00032
|
||||
+ stigid@ubuntu2004: UBTU-20-010134
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}
|
||||
+ {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /etc/audit/
|
||||
+ - /etc/audit/rules.d/
|
||||
+ file_regex:
|
||||
+ - ^audit(\.rules|d\.conf)$
|
||||
+ - ^.*\.rules$
|
||||
+ fileuid: '0'
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..4d67307
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = audit
|
||||
+
|
||||
+chown 0 /etc/audit/audit.rules
|
||||
+chown 0 /etc/audit/auditd.conf
|
||||
+chown 0 -R /etc/audit/rules.d/
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..337074f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# packages = audit
|
||||
+
|
||||
+useradd testuser_123
|
||||
+chown testuser_123 /etc/audit/audit.rules
|
||||
+chown testuser_123 /etc/audit/auditd.conf
|
||||
+chown testuser_123 -R /etc/audit/rules.d/
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..f1bf515
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml
|
||||
@@ -0,0 +1,27 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify User Who Owns /var/log/syslog File'
|
||||
+
|
||||
+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
||||
+ the system and should only be accessed by authorized personnel.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001314
|
||||
+ srg: SRG-OS-000206-GPOS-00084
|
||||
+ stigid@ubuntu2004: UBTU-20-010421
|
||||
+
|
||||
+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath: /var/log/syslog
|
||||
+ fileuid: '104'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..e236238
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
@@ -0,0 +1,55 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify that System Executable Have Root Ownership'
|
||||
+
|
||||
+description: |-
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin</pre>
|
||||
+ All these directories should be owned by the <tt>root</tt> user.
|
||||
+ If any directory <i>DIR</i> in these directories is found
|
||||
+ to be owned by a user other than root, correct its ownership with the
|
||||
+ following command:
|
||||
+ <pre>$ sudo chown root <i>DIR</i></pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ System binaries are executed by privileged users as well as system services,
|
||||
+ and restrictive permissions are necessary to ensure that their
|
||||
+ execution of these programs cannot be co-opted.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001495
|
||||
+ srg: SRG-OS-000258-GPOS-00099
|
||||
+ stigid@ubuntu2004: UBTU-20-010424
|
||||
+
|
||||
+ocil_clause: 'any system exectables directories are found to not be owned by root'
|
||||
+
|
||||
+ocil: |-
|
||||
+ System executables are stored in the following directories by default:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin
|
||||
+ /usr/sbin</pre>
|
||||
+ For each of these directories, run the following command to find files
|
||||
+ not owned by root:
|
||||
+ <pre>$ sudo find -L <i>DIR/</i> ! -user root -type d -exec chown root {} \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /bin/
|
||||
+ - /sbin/
|
||||
+ - /usr/bin/
|
||||
+ - /usr/sbin/
|
||||
+ - /usr/local/bin/
|
||||
+ - /usr/local/sbin/
|
||||
+ recursive: 'true'
|
||||
+ fileuid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..0c7d9b3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml
|
||||
@@ -0,0 +1,77 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ubuntu2004
|
||||
+
|
||||
+title: 'Verify that audit tools are owned by root'
|
||||
+
|
||||
+description: |-
|
||||
+ The {{{ full_name }}} operating system audit tools must have the proper
|
||||
+ ownership configured to protected against unauthorized access.
|
||||
+
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl root
|
||||
+ /sbin/aureport root
|
||||
+ /sbin/ausearch root
|
||||
+ /sbin/autrace root
|
||||
+ /sbin/auditd root
|
||||
+ /sbin/audispd root
|
||||
+ /sbin/augenrules root
|
||||
+ </pre>
|
||||
+
|
||||
+ Audit tools needed to successfully view and manipulate audit information
|
||||
+ system activity and records. Audit tools include custom queries and report
|
||||
+ generators
|
||||
+
|
||||
+rationale: |-
|
||||
+ Protecting audit information also includes identifying and protecting the
|
||||
+ tools used to view and manipulate log data. Therefore, protecting audit
|
||||
+ tools is necessary to prevent unauthorized operation on audit information.
|
||||
+
|
||||
+ Operating systems providing tools to interface with audit information
|
||||
+ will leverage user permissions and roles identifying the user accessing the
|
||||
+ tools and the corresponding rights the user enjoys to make access decisions
|
||||
+ regarding the access to audit tools.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001493,CCI-001494
|
||||
+ srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098
|
||||
+ stigid@ubuntu2004: UBTU-20-010200
|
||||
+
|
||||
+ocil: |-
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl root
|
||||
+ /sbin/aureport root
|
||||
+ /sbin/ausearch root
|
||||
+ /sbin/autrace root
|
||||
+ /sbin/auditd root
|
||||
+ /sbin/audispd root
|
||||
+ /sbin/augenrules root
|
||||
+ </pre>
|
||||
+
|
||||
+ If the command does not return all the above lines, the missing ones
|
||||
+ need to be added.
|
||||
+
|
||||
+ Run the following command to correct the permissions of the missing
|
||||
+ entries:
|
||||
+ <pre>$ sudo chown root [audit_tool] </pre>
|
||||
+
|
||||
+ Replace "[audit_tool]" with each audit tool not owned by root.
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /sbin/auditctl
|
||||
+ - /sbin/aureport
|
||||
+ - /sbin/ausearch
|
||||
+ - /sbin/autrace
|
||||
+ - /sbin/auditd
|
||||
+ - /sbin/audispd
|
||||
+ - /sbin/augenrules
|
||||
+ fileuid: '0'
|
||||
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
|
||||
index 4c76824..487de82 100644
|
||||
--- a/products/ubuntu2004/profiles/stig.profile
|
||||
+++ b/products/ubuntu2004/profiles/stig.profile
|
||||
@@ -452,6 +452,7 @@ selections:
|
||||
# UBTU-20-010423 The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
|
||||
|
||||
# UBTU-20-010424 The Ubuntu operating system must have directories that contain system commands owned by root.
|
||||
+ - dir_ownership_binary_dirs
|
||||
|
||||
# UBTU-20-010425 The Ubuntu operating system must have directories that contain system commands group-owned by root.
|
||||
|
||||
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
|
||||
index 80eaae8..590c9fc 100644
|
||||
--- a/shared/templates/file_owner/ansible.template
|
||||
+++ b/shared/templates/file_owner/ansible.template
|
||||
@@ -25,7 +25,7 @@
|
||||
|
||||
- name: Ensure owner on {{{ path }}} recursively
|
||||
file:
|
||||
- paths "{{{ path }}}"
|
||||
+ path: "{{{ path }}}"
|
||||
state: directory
|
||||
recurse: yes
|
||||
owner: "{{{ FILEUID }}}"
|
@ -0,0 +1,430 @@
|
||||
commit b56ce1b9070236c1f44e936548d9ff44b2ebe8a3
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu Feb 24 18:44:02 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-file_permissions-PR_7788.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
|
||||
new file mode 100644
|
||||
index 0000000..93fd73e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/bash/ubuntu.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+# platform = multi_platform_ubuntu
|
||||
+
|
||||
+readarray -t files < <(find /var/log/)
|
||||
+for file in "${files[@]}"; do
|
||||
+ if basename $file | grep -qE '^.*$'; then
|
||||
+ chmod 0640 $file
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+if grep -qE "^f \/var\/log\/(btmp|wtmp|lastlog)? " /usr/lib/tmpfiles.d/var.conf; then
|
||||
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/btmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
||||
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/wtmp[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
||||
+ sed -i --follow-symlinks "s/\(^f[[:space:]]\+\/var\/log\/lastlog[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10640/" /usr/lib/tmpfiles.d/var.conf
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index dd95ce0..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,36 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="permissions_local_var_log" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that files in /var/log have permission at least 0640
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_mode_log_files" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="log file with less restrictive permission than 0640" id="test_mode_log_files" version="1">
|
||||
- <unix:object object_ref="object_file_mode_log_files" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="log files" id="object_file_mode_log_files" version="1">
|
||||
- <unix:path operation="pattern match">^\/var\/log\/</unix:path>
|
||||
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
- <filter action="include">log_files_permission_more_0640</filter>
|
||||
- <filter action="exclude">var_log_symlinks</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="log_files_permission_more_0640" version="1" operator="OR">
|
||||
- <!-- if any one of these is true then mode is NOT 0640 (hence the OR operator) -->
|
||||
- <unix:uexec datatype="boolean">true</unix:uexec>
|
||||
- <unix:gwrite datatype="boolean">true</unix:gwrite>
|
||||
- <unix:gexec datatype="boolean">true</unix:gexec>
|
||||
- <unix:oread datatype="boolean">true</unix:oread>
|
||||
- <unix:owrite datatype="boolean">true</unix:owrite>
|
||||
- <unix:oexec datatype="boolean">true</unix:oexec>
|
||||
- </unix:file_state>
|
||||
-
|
||||
- <unix:file_state id="var_log_symlinks" version="1">
|
||||
- <unix:type operation="equals">symbolic link</unix:type>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
||||
index 1939531..bd7e984 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
|
||||
@@ -46,3 +46,10 @@ ocil: |-
|
||||
<pre>
|
||||
sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \;
|
||||
</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath: /var/log/
|
||||
+ file_regex: '.*'
|
||||
+ filemode: '0640'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
||||
index 5317ef2..1793259 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/var_logfile_correct_mode.pass.sh
|
||||
@@ -1,5 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
+chmod -R 640 /var/log
|
||||
mkdir -p /var/log/testme
|
||||
touch /var/log/testme/test.log
|
||||
chmod 640 /var/log/testme/test.log
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
||||
index 83db1ac..69b0814 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/tests/world_writable_dir.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
+chmod -R 640 /var/log/
|
||||
mkdir -p /var/log/testme
|
||||
chmod 777 /var/log/testme
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
|
||||
new file mode 100644
|
||||
index 0000000..93962ea
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log/bash/ubuntu.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_ubuntu
|
||||
+
|
||||
+chmod 0755 /var/log/
|
||||
+
|
||||
+if grep -q "^z \/var\/log " /usr/lib/tmpfiles.d/00rsyslog.conf; then
|
||||
+ sed -i --follow-symlinks "s/\(^z[[:space:]]\+\/var\/log[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10755/" /usr/lib/tmpfiles.d/00rsyslog.conf
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..73258d4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_syslog/rule.yml
|
||||
@@ -0,0 +1,28 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify Permissions on /var/log/syslog File'
|
||||
+
|
||||
+description: |-
|
||||
+ {{{ describe_file_permissions(file="/var/log/syslog", perms="0640") }}}
|
||||
+
|
||||
+rationale: |-
|
||||
+ The <tt>/var/log/syslog</tt> file contains logs of error messages in
|
||||
+ the system and should only be accessed by authorized personnel.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001314
|
||||
+ srg: SRG-OS-000206-GPOS-00084
|
||||
+ stigid@ubuntu2004: UBTU-20-010422
|
||||
+
|
||||
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_file_permissions(file="/var/log/syslog", perms="-rw-r-----") }}}
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath: /var/log/syslog
|
||||
+ filemode: '0640'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..a666c76
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
|
||||
@@ -0,0 +1,57 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Verify that System Executable Directories Have Restrictive Permissions'
|
||||
+
|
||||
+description: |-
|
||||
+ System executables are stored in the following directories by default:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin</pre>
|
||||
+ These directories should not be group-writable or world-writable.
|
||||
+ If any directory <i>DIR</i> in these directories is found to be
|
||||
+ group-writable or world-writable, correct its permission with the
|
||||
+ following command:
|
||||
+ <pre>$ sudo chmod go-w <i>DIR</i></pre>
|
||||
+
|
||||
+rationale: |-
|
||||
+ System binaries are executed by privileged users, as well as system services,
|
||||
+ and restrictive permissions are necessary to ensure execution of these programs
|
||||
+ cannot be co-opted.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001495
|
||||
+ srg: SRG-OS-000258-GPOS-00099
|
||||
+ stigid@ubuntu2004: UBTU-20-010423
|
||||
+
|
||||
+ocil_clause: 'any of these files are group-writable or world-writable'
|
||||
+
|
||||
+ocil: |-
|
||||
+ System executables are stored in the following directories by default:
|
||||
+ <pre>/bin
|
||||
+ /sbin
|
||||
+ /usr/bin
|
||||
+ /usr/sbin
|
||||
+ /usr/local/bin
|
||||
+ /usr/local/sbin</pre>
|
||||
+ To find system executables directories that are group-writable or
|
||||
+ world-writable, run the following command for each directory <i>DIR</i>
|
||||
+ which contains system executables:
|
||||
+ <pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /bin/
|
||||
+ - /sbin/
|
||||
+ - /usr/bin/
|
||||
+ - /usr/sbin/
|
||||
+ - /usr/local/bin/
|
||||
+ - /usr/local/sbin/
|
||||
+ recursive: 'true'
|
||||
+ filemode: '0755'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
index 3f7239d..af07846 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
index 1f68586..d58616b 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.pass.sh
|
||||
@@ -1,5 +1,6 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
+ chmod -R 755 "$dirPath"
|
||||
mkdir -p "$dirPath/testme" && chmod 700 "$dirPath/testme"
|
||||
done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
index b60a726..98d18cd 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/lib /lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
index 5438b51..6df6e2f 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/testme"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..da42e99
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_audit_binaries/rule.yml
|
||||
@@ -0,0 +1,78 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: ubuntu2004
|
||||
+
|
||||
+title: 'Verify that audit tools Have Mode 0755 or less'
|
||||
+
|
||||
+description: |-
|
||||
+ The {{{ full_name }}} operating system audit tools must have the proper
|
||||
+ permissions configured to protected against unauthorized access.
|
||||
+
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl 755
|
||||
+ /sbin/aureport 755
|
||||
+ /sbin/ausearch 755
|
||||
+ /sbin/autrace 755
|
||||
+ /sbin/auditd 755
|
||||
+ /sbin/audispd 755
|
||||
+ /sbin/augenrules 755
|
||||
+ </pre>
|
||||
+
|
||||
+ Audit tools needed to successfully view and manipulate audit information
|
||||
+ system activity and records. Audit tools include custom queries and report
|
||||
+ generators
|
||||
+
|
||||
+rationale: |-
|
||||
+ Protecting audit information also includes identifying and protecting the
|
||||
+ tools used to view and manipulate log data. Therefore, protecting audit
|
||||
+ tools is necessary to prevent unauthorized operation on audit information.
|
||||
+
|
||||
+ Operating systems providing tools to interface with audit information
|
||||
+ will leverage user permissions and roles identifying the user accessing the
|
||||
+ tools and the corresponding rights the user enjoys to make access decisions
|
||||
+ regarding the access to audit tools.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001493,CCI-001494
|
||||
+ srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098
|
||||
+ stigid@ubuntu2004: UBTU-20-010199
|
||||
+
|
||||
+ocil: |-
|
||||
+ Verify it by running the following command:
|
||||
+ <pre>$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules
|
||||
+
|
||||
+ /sbin/auditctl 755
|
||||
+ /sbin/aureport 755
|
||||
+ /sbin/ausearch 755
|
||||
+ /sbin/autrace 755
|
||||
+ /sbin/auditd 755
|
||||
+ /sbin/audispd 755
|
||||
+ /sbin/augenrules 755
|
||||
+ </pre>
|
||||
+
|
||||
+ If the command does not return all the above lines, the missing ones
|
||||
+ need to be added.
|
||||
+
|
||||
+ Run the following command to correct the permissions of the missing
|
||||
+ entries:
|
||||
+ <pre>$ sudo chmod 0755 [audit_tool] </pre>
|
||||
+
|
||||
+ Replace "[audit_tool]" with the audit tool that does not have the
|
||||
+ correct permissions.
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /sbin/auditctl
|
||||
+ - /sbin/aureport
|
||||
+ - /sbin/ausearch
|
||||
+ - /sbin/autrace
|
||||
+ - /sbin/auditd
|
||||
+ - /sbin/audispd
|
||||
+ - /sbin/augenrules
|
||||
+ filemode: '0755'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
||||
index 5d95c98..ab89b27 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol
|
||||
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu
|
||||
DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
||||
for dirPath in $DIRS; do
|
||||
find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..59b8838
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/correct_permissions.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
||||
+for dirPath in $DIRS; do
|
||||
+ find "$dirPath" -perm /022 -type f -exec chmod 0755 '{}' \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..9d9ce30
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/tests/incorrect_permissions.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
|
||||
+for dirPath in $DIRS; do
|
||||
+ find "$dirPath" -type f -exec chmod 0777 '{}' \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..de388e6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/correct_permissions.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ chmod -R 755 "$dirPath"
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..913e75e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ find "$dirPath" -type d -exec chmod go-w '{}' \;
|
||||
+ find "$dirPath" -type f -exec chmod go+w '{}' \;
|
||||
+done
|
||||
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
|
||||
index 487de82..091e472 100644
|
||||
--- a/products/ubuntu2004/profiles/stig.profile
|
||||
+++ b/products/ubuntu2004/profiles/stig.profile
|
||||
@@ -448,8 +448,10 @@ selections:
|
||||
# UBTU-20-010421 The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog.
|
||||
|
||||
# UBTU-20-010422 The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive.
|
||||
+ - file_permissions_var_log_syslog
|
||||
|
||||
# UBTU-20-010423 The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
|
||||
+ - dir_permissions_binary_dirs
|
||||
|
||||
# UBTU-20-010424 The Ubuntu operating system must have directories that contain system commands owned by root.
|
||||
- dir_ownership_binary_dirs
|
||||
diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template
|
||||
index 89083e8..6b3616a 100644
|
||||
--- a/shared/templates/file_permissions/oval.template
|
||||
+++ b/shared/templates/file_permissions/oval.template
|
||||
@@ -67,6 +67,11 @@
|
||||
#}}
|
||||
<filter action="include">state_file_permissions{{{ FILEID }}}_{{{ loop.index0 }}}_mode_not_{{{ FILEMODE }}}</filter>
|
||||
{{%- endif %}}
|
||||
+ <filter action="exclude">exclude_symlinks_{{{ FILEID }}}</filter>
|
||||
</unix:file_object>
|
||||
{{% endfor %}}
|
||||
+
|
||||
+ <unix:file_state id="exclude_symlinks_{{{ FILEID }}}" version="1">
|
||||
+ <unix:type operation="equals">symbolic link</unix:type>
|
||||
+ </unix:file_state>
|
||||
</def-group>
|
@ -0,0 +1,315 @@
|
||||
commit ecedabee39e65415001ba59bf3c927329a10720f
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon Feb 28 11:40:02 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-no_time_servers_chrony-PR_8187.patch.
|
||||
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
index a7b2a62..25a8589 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
|
||||
@@ -3,17 +3,25 @@
|
||||
{{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
|
||||
to continuously poll the time source servers.") }}}
|
||||
<criteria operator="OR">
|
||||
- <criteria operator="AND">
|
||||
- <criterion comment="check if maxpoll is set in /etc/ntp.conf"
|
||||
- test_ref="test_ntp_set_maxpoll" />
|
||||
- <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
||||
- test_ref="test_ntp_all_server_has_maxpoll"/>
|
||||
+ <criteria operator="OR">
|
||||
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
|
||||
+ test_ref="test_ntp_no_server"/>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="check if maxpoll is set in /etc/ntp.conf"
|
||||
+ test_ref="test_ntp_set_maxpoll" />
|
||||
+ <criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
||||
+ test_ref="test_ntp_all_server_has_maxpoll"/>
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
- <criteria operator="AND">
|
||||
- <criterion comment="check if maxpoll is set in /etc/chrony.conf"
|
||||
- test_ref="test_chrony_set_maxpoll" />
|
||||
- <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
|
||||
- test_ref="test_chrony_all_server_has_maxpoll"/>
|
||||
+ <criteria operator="OR">
|
||||
+ <criterion comment="check if no server or pool entry is set in /etc/chrony.conf"
|
||||
+ test_ref="test_chrony_no_server_nor_pool"/>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="check if maxpoll is set in /etc/chrony.conf"
|
||||
+ test_ref="test_chrony_set_maxpoll" />
|
||||
+ <criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf"
|
||||
+ test_ref="test_chrony_all_server_has_maxpoll"/>
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
</criteria>
|
||||
</definition>
|
||||
@@ -77,4 +85,26 @@
|
||||
<ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="check if no server entries have server or pool set in /etc/chrony.conf"
|
||||
+ id="test_chrony_no_server_nor_pool" version="1">
|
||||
+ <ind:object object_ref="obj_chrony_no_server_nor_pool" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="obj_chrony_no_server_nor_pool" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
+ comment="check if all server entries have maxpoll set in /etc/ntp.conf"
|
||||
+ id="test_ntp_no_server" version="1">
|
||||
+ <ind:object object_ref="obj_ntp_no_server_nor_pool" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="obj_ntp_no_server_nor_pool" version="1">
|
||||
+ <ind:filepath>/etc/ntp.conf</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^server.*</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
index 854e8e8..77af724 100644
|
||||
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
|
||||
@@ -11,6 +11,8 @@ description: |-
|
||||
<tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
|
||||
add the following:
|
||||
<pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
|
||||
+ If no <tt>server</tt> or <tt>pool</tt> directives are configured, the rule evaluates
|
||||
+ to pass.
|
||||
{{% if product == "rhcos4" %}}
|
||||
<p>
|
||||
Note that if the remediation shipping with this content is being used, the
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..bbae20f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/tests/chrony_no_pool_nor_servers.pass.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+#
|
||||
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||||
+
|
||||
+yum remove -y ntp
|
||||
+
|
||||
+# Remove all pool and server options
|
||||
+sed -i "/^pool.*/d" /etc/chrony.conf
|
||||
+sed -i "/^server.*/d" /etc/chrony.conf
|
||||
+
|
||||
+systemctl enable chronyd.service
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..2244e60
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/oval/shared.xml
|
||||
@@ -0,0 +1,33 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{ oval_metadata("Ensure Chrony has time sources configured with server directive") }}}
|
||||
+ <criteria comment="chrony.conf only has server directive">
|
||||
+ <criterion test_ref="test_chronyd_server_directive_with_server" />
|
||||
+ <criterion test_ref="test_chronyd_server_directive_no_pool" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
|
||||
+ comment="Ensure at least one time source is set with server directive" id="test_chronyd_server_directive_with_server"
|
||||
+ version="1">
|
||||
+ <ind:object object_ref="object_chronyd_server_directive" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files"
|
||||
+ id="object_chronyd_server_directive" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="Ensure no time source is set with pool directive" id="test_chronyd_server_directive_no_pool"
|
||||
+ version="1">
|
||||
+ <ind:object object_ref="object_chronyd_no_pool_directive" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files"
|
||||
+ id="object_chronyd_no_pool_directive" version="1">
|
||||
+ <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..6dc24f1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/rule.yml
|
||||
@@ -0,0 +1,32 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure Chrony is only configured with the server directive'
|
||||
+
|
||||
+description: |-
|
||||
+ Check that Chrony only has time sources configured with the <tt>server</tt> directive.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Depending on the infrastruture being used the <tt>pool</tt> directive may not be supported.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+platform: chrony
|
||||
+
|
||||
+warnings:
|
||||
+ - general: This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: CCE-86077-5
|
||||
+ cce@rhel9: CCE-87077-4
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-001891
|
||||
+ srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
|
||||
+ stigid@rhel8: RHEL-08-030740
|
||||
+
|
||||
+ocil_clause: 'a remote time server is not configured or configured with pool directive'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Run the following command and verify that time sources are only configure with <tt>server</tt> directive:
|
||||
+ <pre># grep -E "^(server|pool)" /etc/chrony.conf</pre>
|
||||
+ A line with the appropriate server should be returned, any line returned starting with <tt>pool</tt> is a finding.
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..d1ba075
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_empty.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+echo "" > /etc/chrony.conf
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..12a50eb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/file_missing.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+rm -f /etc/chrony.conf
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..bffa8b6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/line_missing.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+echo "some line" > /etc/chrony.conf
|
||||
+echo "another line" >> /etc/chrony.conf
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..5527f38
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/multiple_servers.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+sed -i "^pool.*" /etc/chrony.conf
|
||||
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
||||
+echo "server 1.pool.ntp.org" >> /etc/chrony.conf
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..616fe88
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_pool.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+# remediation = none
|
||||
+
|
||||
+sed -i "^server.*" /etc/chrony.conf
|
||||
+if ! grep "^pool.*" /etc/chrony.conf; then
|
||||
+ echo "pool 0.pool.ntp.org" > /etc/chrony.conf
|
||||
+fi
|
||||
diff --git a/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..21a70dc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ntp/chronyd_server_directive/tests/only_server.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+#!/bin/bash
|
||||
+# packages = chrony
|
||||
+# platform = multi_platform_fedora,multi_platform_rhel
|
||||
+
|
||||
+sed -i "^pool.*" /etc/chrony.conf
|
||||
+echo "server 0.pool.ntp.org" > /etc/chrony.conf
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 7e142a9..bfb3753 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -910,6 +910,7 @@ selections:
|
||||
# RHEL-08-030740
|
||||
# remediation fails because default configuration file contains pool instead of server keyword
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
+ - chronyd_server_directive
|
||||
|
||||
# RHEL-08-030741
|
||||
- chronyd_client_only
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 0584677..ec92589 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -188,7 +188,6 @@ CCE-86073-4
|
||||
CCE-86074-2
|
||||
CCE-86075-9
|
||||
CCE-86076-7
|
||||
-CCE-86077-5
|
||||
CCE-86078-3
|
||||
CCE-86079-1
|
||||
CCE-86080-9
|
||||
@@ -1168,7 +1167,6 @@ CCE-87073-3
|
||||
CCE-87074-1
|
||||
CCE-87075-8
|
||||
CCE-87076-6
|
||||
-CCE-87077-4
|
||||
CCE-87078-2
|
||||
CCE-87079-0
|
||||
CCE-87080-8
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 26391b9..2411f02 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -154,6 +154,7 @@ selections:
|
||||
- chronyd_client_only
|
||||
- chronyd_no_chronyc_network
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
+- chronyd_server_directive
|
||||
- clean_components_post_updating
|
||||
- configure_bashrc_exec_tmux
|
||||
- configure_bind_crypto_policy
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 31a3264..f0a9601 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -165,6 +165,7 @@ selections:
|
||||
- chronyd_client_only
|
||||
- chronyd_no_chronyc_network
|
||||
- chronyd_or_ntpd_set_maxpoll
|
||||
+- chronyd_server_directive
|
||||
- clean_components_post_updating
|
||||
- configure_bashrc_exec_tmux
|
||||
- configure_bind_crypto_policy
|
@ -0,0 +1,80 @@
|
||||
commit 2a3e271027ddfef1b8ebf55f4d02a0c6a8eb445f
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon Feb 28 11:12:44 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-remove_client_alive_max-PR_8197.patch.
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 5829039..eb6cf83 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -50,7 +50,7 @@ selections:
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
- var_password_pam_minlen=15
|
||||
- - var_sshd_set_keepalive=0
|
||||
+ # - var_sshd_set_keepalive=0
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
@@ -168,11 +168,13 @@ selections:
|
||||
# RHEL-08-010190
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
|
||||
- # RHEL-08-010200
|
||||
- - sshd_set_keepalive_0
|
||||
-
|
||||
- # RHEL-08-010201
|
||||
- - sshd_set_idle_timeout
|
||||
+ # These two items don't behave as they used to in RHEL8.6 and RHEL9
|
||||
+ # anymore. They will be disabled for now until an alternative
|
||||
+ # solution is found.
|
||||
+ # # RHEL-08-010200
|
||||
+ # - sshd_set_keepalive_0
|
||||
+ # # RHEL-08-010201
|
||||
+ # - sshd_set_idle_timeout
|
||||
|
||||
# RHEL-08-010210
|
||||
- file_permissions_var_log_messages
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index b9eeff5..f181bd9 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -347,8 +347,6 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
-- sshd_set_idle_timeout
|
||||
-- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
@@ -416,7 +414,6 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
-- var_sshd_set_keepalive=0
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 54bf46d..48e7d03 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -358,8 +358,6 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
-- sshd_set_idle_timeout
|
||||
-- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
@@ -426,7 +424,6 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
-- var_sshd_set_keepalive=0
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
@ -0,0 +1,122 @@
|
||||
commit e5b8b968d882aa8fa1795dcabf185781f59b5671
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon Feb 28 12:01:18 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
index 4cb2f9e..58f91ea 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
@@ -4,7 +4,6 @@
|
||||
<criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
|
||||
<criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
|
||||
test_ref="test_configure_bashrc_exec_tmux" />
|
||||
- <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
|
||||
</criteria>
|
||||
</definition>
|
||||
<ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
@@ -18,13 +17,4 @@
|
||||
<ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
-
|
||||
- <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
|
||||
- <unix:object object_ref="obj_tmux_running"/>
|
||||
- </unix:process58_test>
|
||||
-
|
||||
- <unix:process58_object id="obj_tmux_running" version="1">
|
||||
- <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
|
||||
- <unix:pid datatype="int" operation="greater than">0</unix:pid>
|
||||
- </unix:process58_object>
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
index 6be090b..0e4db6d 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
@@ -8,19 +8,11 @@ description: |-
|
||||
The <tt>tmux</tt> terminal multiplexer is used to implement
|
||||
automatic session locking. It should be started from
|
||||
<tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
|
||||
- Additionally it must be ensured that the <tt>tmux</tt> process is running
|
||||
- and it can be verified with the following command:
|
||||
- <pre>ps all | grep tmux | grep -v grep</pre>
|
||||
|
||||
rationale: |-
|
||||
Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
|
||||
provides a mechanism to lock sessions after period of inactivity.
|
||||
|
||||
-warnings:
|
||||
- - general: |-
|
||||
- The remediation does not start the tmux process, so it must be
|
||||
- manually started or have the system rebooted after applying the fix.
|
||||
-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
@@ -33,7 +25,7 @@ references:
|
||||
srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009
|
||||
stigid@rhel8: RHEL-08-020041
|
||||
|
||||
-ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
|
||||
+ocil_clause: 'exec tmux is not present at the end of bashrc'
|
||||
|
||||
ocil: |-
|
||||
To verify that tmux is configured to execute,
|
||||
@@ -45,9 +37,5 @@ ocil: |-
|
||||
name=$(ps -o comm= -p $parent)
|
||||
case "$name" in sshd|login) exec tmux ;; esac
|
||||
fi</pre>
|
||||
- To verify that the tmux process is running,
|
||||
- run the following command:
|
||||
- <pre>ps all | grep tmux | grep -v grep</pre>
|
||||
- If the command does not produce output, this is a finding.
|
||||
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
index 221c186..fbc7590 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
@@ -9,4 +9,3 @@ if [ "$PS1" ]; then
|
||||
fi
|
||||
EOF
|
||||
|
||||
-tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
index 1702bb1..6107f86 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
@@ -10,4 +10,3 @@ if [ "$PS1" ]; then
|
||||
fi
|
||||
EOF
|
||||
|
||||
-tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
deleted file mode 100644
|
||||
index 6cb9d83..0000000
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,13 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# packages = tmux
|
||||
-# remediation = none
|
||||
-
|
||||
-cat >> /etc/bashrc <<'EOF'
|
||||
-if [ "$PS1" ]; then
|
||||
- parent=$(ps -o ppid= -p $$)
|
||||
- name=$(ps -o comm= -p $parent)
|
||||
- case "$name" in sshd|login) exec tmux ;; esac
|
||||
-fi
|
||||
-EOF
|
||||
-
|
||||
-killall tmux || true
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
index f13a8b0..9b46165 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
@@ -101,5 +101,3 @@ if [ -z "$BASHRCSOURCED" ]; then
|
||||
fi
|
||||
# vim:ts=4:sw=4
|
||||
EOF
|
||||
-
|
||||
-tmux new-session -s root -d
|
@ -0,0 +1,382 @@
|
||||
commit 3064c4bc94047b1ca4c91db6008ded0694121563
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon Feb 28 10:57:59 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-rhel8_stig_audit_rules-PR_8174.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||||
index 6c3cc55..9208a17 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
|
||||
@@ -55,7 +55,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
|
||||
stigid@ol7: OL07-00-030420
|
||||
stigid@rhel7: RHEL-07-030420
|
||||
- stigid@rhel8: RHEL-08-030540
|
||||
+ stigid@rhel8: RHEL-08-030490
|
||||
stigid@sle12: SLES-12-020470
|
||||
stigid@sle15: SLES-15-030300
|
||||
stigid@ubuntu2004: UBTU-20-010153
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||||
index 3e51d48..595824c 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
|
||||
@@ -55,7 +55,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203
|
||||
stigid@ol7: OL07-00-030430
|
||||
stigid@rhel7: RHEL-07-030430
|
||||
- stigid@rhel8: RHEL-08-030530
|
||||
+ stigid@rhel8: RHEL-08-030490
|
||||
stigid@sle12: SLES-12-020480
|
||||
stigid@sle15: SLES-12-030310
|
||||
stigid@ubuntu2004: UBTU-20-010154
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||||
index d89875f..470a995 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
|
||||
@@ -58,7 +58,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
|
||||
stigid@ol7: OL07-00-030380
|
||||
stigid@rhel7: RHEL-07-030380
|
||||
- stigid@rhel8: RHEL-08-030520
|
||||
+ stigid@rhel8: RHEL-08-030480
|
||||
stigid@sle12: SLES-12-020430
|
||||
stigid@sle15: SLES-15-030260
|
||||
stigid@ubuntu2004: UBTU-20-010149
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||||
index e6caaeb..4db008f 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
|
||||
@@ -55,7 +55,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
|
||||
stigid@ol7: OL07-00-030400
|
||||
stigid@rhel7: RHEL-07-030400
|
||||
- stigid@rhel8: RHEL-08-030510
|
||||
+ stigid@rhel8: RHEL-08-030480
|
||||
stigid@sle12: SLES-12-020450
|
||||
stigid@sle15: SLES-15-030280
|
||||
stigid@ubuntu2004: UBTU-20-010150
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||||
index b9ad3c7..cd4b200 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
|
||||
@@ -72,7 +72,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
|
||||
stigid@ol7: OL07-00-030480
|
||||
stigid@rhel7: RHEL-07-030480
|
||||
- stigid@rhel8: RHEL-08-030240
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle12: SLES-12-020410
|
||||
stigid@sle15: SLES-15-030210
|
||||
stigid@ubuntu2004: UBTU-20-010147
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||||
index cedf05f..dc6ef7f 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
|
||||
@@ -67,7 +67,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033
|
||||
stigid@ol7: OL07-00-030450
|
||||
stigid@rhel7: RHEL-07-030450
|
||||
- stigid@rhel8: RHEL-08-030230
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle12: SLES-12-020380
|
||||
stigid@sle15: SLES-15-030230
|
||||
stigid@ubuntu2004: UBTU-20-010144
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||||
index 190509c..e57e177 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
|
||||
@@ -55,7 +55,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000466-GPOS-00210,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
|
||||
stigid@ol7: OL07-00-030390
|
||||
stigid@rhel7: RHEL-07-030390
|
||||
- stigid@rhel8: RHEL-08-030500
|
||||
+ stigid@rhel8: RHEL-08-030480
|
||||
stigid@sle12: SLES-12-020440
|
||||
stigid@sle15: SLES-15-030270
|
||||
stigid@ubuntu2004: UBTU-20-010151
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||||
index 3662262..52ee93a 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml
|
||||
@@ -66,7 +66,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000064-GPOS-00033
|
||||
stigid@ol7: OL07-00-030460
|
||||
stigid@rhel7: RHEL-07-030460
|
||||
- stigid@rhel8: RHEL-08-030220
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle15: SLES-15-030240
|
||||
stigid@ubuntu2004: UBTU-20-010143
|
||||
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||||
index ac9d349..c462eb7 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
|
||||
@@ -71,7 +71,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000468-GPOS-00212,SRG-OS-000471-GPOS-00215,SRG-OS-000474-GPOS-00219,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033
|
||||
stigid@ol7: OL07-00-030470
|
||||
stigid@rhel7: RHEL-07-030470
|
||||
- stigid@rhel8: RHEL-08-030210
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle12: SLES-12-020390
|
||||
stigid@sle15: SLES-15-030190
|
||||
stigid@ubuntu2004: UBTU-20-010145
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||||
index b661a1f..23630ec 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
|
||||
@@ -67,7 +67,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203
|
||||
stigid@ol7: OL07-00-030440
|
||||
stigid@rhel7: RHEL-07-030440
|
||||
- stigid@rhel8: RHEL-08-030270
|
||||
+ stigid@rhel8: RHEL-08-030200
|
||||
stigid@sle12: SLES-12-020370
|
||||
stigid@sle15: SLES-15-030220
|
||||
stigid@ubuntu2004: UBTU-20-010142
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||||
index 37620a3..0f25e93 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
|
||||
@@ -48,7 +48,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
|
||||
stigid@ol7: OL07-00-030890
|
||||
stigid@rhel7: RHEL-07-030890
|
||||
- stigid@rhel8: RHEL-08-030362
|
||||
+ stigid@rhel8: RHEL-08-030361
|
||||
stigid@ubuntu2004: UBTU-20-010270
|
||||
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||||
index e6b4004..7c5b3b0 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
|
||||
@@ -47,7 +47,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
|
||||
stigid@ol7: OL07-00-030900
|
||||
stigid@rhel7: RHEL-07-030900
|
||||
- stigid@rhel8: RHEL-08-030363
|
||||
+ stigid@rhel8: RHEL-08-030361
|
||||
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
|
||||
|
||||
{{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}}
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||||
index bfe53b7..209c622 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
|
||||
@@ -48,7 +48,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
|
||||
stigid@ol7: OL07-00-030910
|
||||
stigid@rhel7: RHEL-07-030910
|
||||
- stigid@rhel8: RHEL-08-030364
|
||||
+ stigid@rhel8: RHEL-08-030361
|
||||
stigid@ubuntu2004: UBTU-20-010267
|
||||
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||||
index bd246f1..56c644e 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
|
||||
@@ -48,7 +48,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212
|
||||
stigid@ol7: OL07-00-030920
|
||||
stigid@rhel7: RHEL-07-030920
|
||||
- stigid@rhel8: RHEL-08-030365
|
||||
+ stigid@rhel8: RHEL-08-030361
|
||||
stigid@ubuntu2004: UBTU-20-010268
|
||||
vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||||
index 5c751cb..4516c7c 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
||||
@@ -60,7 +60,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
|
||||
stigid@ol7: OL07-00-030500
|
||||
stigid@rhel7: RHEL-07-030500
|
||||
- stigid@rhel8: RHEL-08-030470
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020520
|
||||
stigid@sle15: SLES-15-030160
|
||||
stigid@ubuntu2004: UBTU-20-010158
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||||
index 76bcea1..4a845c3 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
||||
@@ -63,7 +63,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
|
||||
stigid@ol7: OL07-00-030550
|
||||
stigid@rhel7: RHEL-07-030550
|
||||
- stigid@rhel8: RHEL-08-030460
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020510
|
||||
stigid@sle15: SLES-15-030320
|
||||
stigid@ubuntu2004: UBTU-20-010157
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||||
index 7c6764d..fc6cf35 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
|
||||
@@ -63,7 +63,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
|
||||
stigid@ol7: OL07-00-030510
|
||||
stigid@rhel7: RHEL-07-030510
|
||||
- stigid@rhel8: RHEL-08-030440
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020490
|
||||
stigid@sle15: SLES-15-030150
|
||||
stigid@ubuntu2004: UBTU-20-010155
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||||
index 9bb5ffe..be08972 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
||||
@@ -59,7 +59,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
|
||||
stigid@ol7: OL07-00-030530
|
||||
stigid@rhel7: RHEL-07-030530
|
||||
- stigid@rhel8: RHEL-08-030450
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020540
|
||||
stigid@sle15: SLES-15-030180
|
||||
stigid@ubuntu2004: UBTU-20-010160
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||||
index c99656c..63aa3f3 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
||||
@@ -63,7 +63,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205
|
||||
stigid@ol7: OL07-00-030520
|
||||
stigid@rhel7: RHEL-07-030520
|
||||
- stigid@rhel8: RHEL-08-030430
|
||||
+ stigid@rhel8: RHEL-08-030420
|
||||
stigid@sle12: SLES-12-020530
|
||||
stigid@sle15: SLES-15-030170
|
||||
stigid@ubuntu2004: UBTU-20-010159
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||||
index aa17002..62cc33d 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
|
||||
@@ -50,7 +50,7 @@ references:
|
||||
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
|
||||
stigid@ol7: OL07-00-030821
|
||||
stigid@rhel7: RHEL-07-030821
|
||||
- stigid@rhel8: RHEL-08-030380
|
||||
+ stigid@rhel8: RHEL-08-030360
|
||||
stigid@sle12: SLES-12-020740
|
||||
stigid@sle15: SLES-15-030530
|
||||
stigid@ubuntu2004: UBTU-20-010180
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index a641eee..5829039 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -561,6 +561,8 @@ selections:
|
||||
|
||||
# RHEL-08-020220
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
+
|
||||
+ # RHEL-08-020221
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
|
||||
# RHEL-08-020230
|
||||
@@ -713,18 +715,11 @@ selections:
|
||||
|
||||
# RHEL-08-030200
|
||||
- audit_rules_dac_modification_lremovexattr
|
||||
-
|
||||
- # RHEL-08-030210
|
||||
- audit_rules_dac_modification_removexattr
|
||||
-
|
||||
- # RHEL-08-030220
|
||||
- audit_rules_dac_modification_lsetxattr
|
||||
-
|
||||
- # RHEL-08-030230
|
||||
- audit_rules_dac_modification_fsetxattr
|
||||
-
|
||||
- # RHEL-08-030240
|
||||
- audit_rules_dac_modification_fremovexattr
|
||||
+ - audit_rules_dac_modification_setxattr
|
||||
|
||||
# RHEL-08-030250
|
||||
- audit_rules_privileged_commands_chage
|
||||
@@ -732,8 +727,6 @@ selections:
|
||||
# RHEL-08-030260
|
||||
- audit_rules_execution_chcon
|
||||
|
||||
- # RHEL-08-030270
|
||||
- - audit_rules_dac_modification_setxattr
|
||||
|
||||
# RHEL-08-030280
|
||||
- audit_rules_privileged_commands_ssh_agent
|
||||
@@ -788,28 +781,18 @@ selections:
|
||||
|
||||
# RHEL-08-030360
|
||||
- audit_rules_kernel_module_loading_init
|
||||
+ - audit_rules_kernel_module_loading_finit
|
||||
|
||||
# RHEL-08-030361
|
||||
- audit_rules_file_deletion_events_rename
|
||||
-
|
||||
- # RHEL-08-030362
|
||||
- audit_rules_file_deletion_events_renameat
|
||||
-
|
||||
- # RHEL-08-030363
|
||||
- audit_rules_file_deletion_events_rmdir
|
||||
-
|
||||
- # RHEL-08-030364
|
||||
- audit_rules_file_deletion_events_unlink
|
||||
-
|
||||
- # RHEL-08-030365
|
||||
- audit_rules_file_deletion_events_unlinkat
|
||||
|
||||
# RHEL-08-030370
|
||||
- audit_rules_privileged_commands_gpasswd
|
||||
|
||||
- # RHEL-08-030380
|
||||
- - audit_rules_kernel_module_loading_finit
|
||||
-
|
||||
# RHEL-08-030390
|
||||
- audit_rules_kernel_module_loading_delete
|
||||
|
||||
@@ -821,41 +804,21 @@ selections:
|
||||
|
||||
# RHEL-08-030420
|
||||
- audit_rules_unsuccessful_file_modification_truncate
|
||||
-
|
||||
- # RHEL-08-030430
|
||||
- audit_rules_unsuccessful_file_modification_openat
|
||||
-
|
||||
- # RHEL-08-030440
|
||||
- audit_rules_unsuccessful_file_modification_open
|
||||
-
|
||||
- # RHEL-08-030450
|
||||
- audit_rules_unsuccessful_file_modification_open_by_handle_at
|
||||
-
|
||||
- # RHEL-08-030460
|
||||
- audit_rules_unsuccessful_file_modification_ftruncate
|
||||
-
|
||||
- # RHEL-08-030470
|
||||
- audit_rules_unsuccessful_file_modification_creat
|
||||
|
||||
# RHEL-08-030480
|
||||
- audit_rules_dac_modification_chown
|
||||
-
|
||||
- # RHEL-08-030490
|
||||
- - audit_rules_dac_modification_chmod
|
||||
-
|
||||
- # RHEL-08-030500
|
||||
- audit_rules_dac_modification_lchown
|
||||
-
|
||||
- # RHEL-08-030510
|
||||
- audit_rules_dac_modification_fchownat
|
||||
-
|
||||
- # RHEL-08-030520
|
||||
- audit_rules_dac_modification_fchown
|
||||
|
||||
- # RHEL-08-030530
|
||||
+ # RHEL-08-030490
|
||||
+ - audit_rules_dac_modification_chmod
|
||||
- audit_rules_dac_modification_fchmodat
|
||||
-
|
||||
- # RHEL-08-030540
|
||||
- audit_rules_dac_modification_fchmod
|
||||
|
||||
# RHEL-08-030550
|
334
SOURCES/scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch
Normal file
334
SOURCES/scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch
Normal file
@ -0,0 +1,334 @@
|
||||
commit b2b8afa337bce598b9b56a243e7ad0be7ee9194e
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri Feb 25 14:18:51 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..1c151a1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/bash/shared.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhv
|
||||
+
|
||||
+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
|
||||
+ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 0000000..24fdbe4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/oval/shared.xml
|
||||
@@ -0,0 +1,19 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="set_password_hashing_algorithm_passwordauth" version="1">
|
||||
+ {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/password-auth.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion test_ref="test_pam_unix_passwordauth_sha512" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/password-auth for correct settings" id="test_pam_unix_passwordauth_sha512" version="1">
|
||||
+ <ind:object object_ref="object_pam_unix_passwordauth_sha512" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object comment="check /etc/pam.d/password-auth for correct settings" id="object_pam_unix_passwordauth_sha512" version="1">
|
||||
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
|
||||
new file mode 100644
|
||||
index 0000000..9375269
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml
|
||||
@@ -0,0 +1,72 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,rhel7,rhel8,rhel9,rhv4
|
||||
+
|
||||
+title: "Set PAM's Password Hashing Algorithm - password-auth"
|
||||
+
|
||||
+description: |-
|
||||
+ The PAM system service can be configured to only store encrypted
|
||||
+ representations of passwords. In
|
||||
+ <tt>/etc/pam.d/password-auth</tt>,
|
||||
+ the
|
||||
+ <tt>password</tt> section of the file controls which PAM modules execute
|
||||
+ during a password change. Set the <tt>pam_unix.so</tt> module in the
|
||||
+ <tt>password</tt> section to include the argument <tt>sha512</tt>, as shown
|
||||
+ below:
|
||||
+ <br />
|
||||
+ <pre>password sufficient pam_unix.so sha512 <i>other arguments...</i></pre>
|
||||
+ <br />
|
||||
+ This will help ensure when local users change their passwords, hashes for
|
||||
+ the new passwords will be generated using the SHA-512 algorithm. This is
|
||||
+ the default.
|
||||
+
|
||||
+rationale: |-
|
||||
+ Passwords need to be protected at all times, and encryption is the standard
|
||||
+ method for protecting passwords. If passwords are not encrypted, they can
|
||||
+ be plainly read (i.e., clear text) and easily compromised. Passwords that
|
||||
+ are encrypted with a weak algorithm are no more protected than if they are
|
||||
+ kepy in plain text.
|
||||
+ <br /><br />
|
||||
+ This setting ensures user and group account administration utilities are
|
||||
+ configured to store only encrypted representations of passwords.
|
||||
+ Additionally, the <tt>crypt_style</tt> configuration option ensures the use
|
||||
+ of a strong hashing algorithm that makes password cracking attacks more
|
||||
+ difficult.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-85943-9
|
||||
+ cce@rhel8: CCE-85945-4
|
||||
+ cce@rhel9: CCE-85946-2
|
||||
+
|
||||
+references:
|
||||
+ anssi: BP28(R32)
|
||||
+ cis-csc: 1,12,15,16,5
|
||||
+ cis@rhel7: 5.4.3
|
||||
+ cis@rhel8: 5.4.4
|
||||
+ cjis: 5.6.2.2
|
||||
+ cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
|
||||
+ cui: 3.13.11
|
||||
+ disa: CCI-000196
|
||||
+ isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
|
||||
+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
|
||||
+ ism: 0418,1055,1402
|
||||
+ iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
|
||||
+ nist: IA-5(c),IA-5(1)(c),CM-6(a)
|
||||
+ nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
|
||||
+ pcidss: Req-8.2.1
|
||||
+ srg: SRG-OS-000073-GPOS-00041
|
||||
+ stigid@rhel7: RHEL-07-010200
|
||||
+ stigid@rhel8: RHEL-08-010160
|
||||
+ vmmsrg: SRG-OS-000480-VMM-002000
|
||||
+
|
||||
+ocil_clause: 'it does not'
|
||||
+
|
||||
+ocil: |-
|
||||
+ Inspect the <tt>password</tt> section of <tt>/etc/pam.d/password-auth</tt>
|
||||
+ and ensure that the <tt>pam_unix.so</tt> module includes the argument
|
||||
+ <tt>sha512</tt>:
|
||||
+ <pre>$ grep sha512 /etc/pam.d/password-auth</pre>
|
||||
+
|
||||
+platform: pam
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..a924fe5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/correct.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" "/etc/pam.d/password-auth"; then
|
||||
+ sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" "/etc/pam.d/password-auth"
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..68e925a
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/missing.fail.sh
|
||||
@@ -0,0 +1,3 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/sha512//g" "/etc/pam.d/password-auth"
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
||||
index 02af406..e7503fe 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
|
||||
@@ -1,7 +1,9 @@
|
||||
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
||||
+{{%- if product == "rhel7" %}}
|
||||
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
||||
+{{%- endif %}}
|
||||
|
||||
for pamFile in "${AUTH_FILES[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
||||
index d76b6f8..a754a84 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
|
||||
@@ -3,6 +3,9 @@
|
||||
{{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
|
||||
<criteria operator="AND">
|
||||
<criterion test_ref="test_pam_unix_sha512" />
|
||||
+ {{%- if product == "rhel7" %}}
|
||||
+ <extend_definition comment="check /etc/pam.d/password-auth for correct settings" definition_ref="set_password_hashing_algorithm_passwordauth" />
|
||||
+ {{%- endif %}}
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||||
index 24ab30d..58fcea9 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
||||
@@ -69,7 +69,7 @@ references:
|
||||
srg: SRG-OS-000073-GPOS-00041
|
||||
stigid@ol7: OL07-00-010200
|
||||
stigid@rhel7: RHEL-07-010200
|
||||
- stigid@rhel8: RHEL-08-010160
|
||||
+ stigid@rhel8: RHEL-08-010159
|
||||
stigid@sle12: SLES-12-010230
|
||||
stigid@sle15: SLES-15-020170
|
||||
vmmsrg: SRG-OS-000480-VMM-002000
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
||||
index 7e48176..fb9feec 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
|
||||
@@ -1,7 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
||||
+{{%- if product == "rhel7" %}}
|
||||
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
||||
+{{%- endif %}}
|
||||
|
||||
for pamFile in "${AUTH_FILES[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
||||
index 09bb82d..2f35381 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
|
||||
@@ -1,7 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
AUTH_FILES[0]="/etc/pam.d/system-auth"
|
||||
+{{%- if product == "rhel7" %}}
|
||||
AUTH_FILES[1]="/etc/pam.d/password-auth"
|
||||
+{{%- endif %}}
|
||||
|
||||
for pamFile in "${AUTH_FILES[@]}"
|
||||
do
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index d76bb38..1045be3 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -54,6 +54,7 @@ selections:
|
||||
- accounts_password_pam_difok
|
||||
- accounts_passwords_pam_faillock_deny
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- require_singleuser_auth
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index d51e53a..705caa8 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -147,6 +147,9 @@ selections:
|
||||
# RHEL-08-010152
|
||||
- require_emergency_target_auth
|
||||
|
||||
+ # RHEL-08-010159
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
+
|
||||
# RHEL-08-010160
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
|
||||
diff --git a/products/rhv4/profiles/pci-dss.profile b/products/rhv4/profiles/pci-dss.profile
|
||||
index 90e196e..f1fb1f8 100644
|
||||
--- a/products/rhv4/profiles/pci-dss.profile
|
||||
+++ b/products/rhv4/profiles/pci-dss.profile
|
||||
@@ -115,6 +115,7 @@ selections:
|
||||
- service_pcscd_enabled
|
||||
- sssd_enable_smartcards
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- file_owner_etc_shadow
|
||||
diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile
|
||||
index ef28fa1..d17833b 100644
|
||||
--- a/products/rhv4/profiles/rhvh-stig.profile
|
||||
+++ b/products/rhv4/profiles/rhvh-stig.profile
|
||||
@@ -355,6 +355,7 @@ selections:
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- package_opensc_installed
|
||||
- var_smartcard_drivers=cac
|
||||
- configure_opensc_card_drivers
|
||||
diff --git a/products/rhv4/profiles/rhvh-vpp.profile b/products/rhv4/profiles/rhvh-vpp.profile
|
||||
index 9be3e34..3b5802d 100644
|
||||
--- a/products/rhv4/profiles/rhvh-vpp.profile
|
||||
+++ b/products/rhv4/profiles/rhvh-vpp.profile
|
||||
@@ -200,6 +200,7 @@ selections:
|
||||
- accounts_password_pam_unix_remember
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
+ - set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_libuserconf
|
||||
- no_empty_passwords
|
||||
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index fef5fd8..d8daeb3 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -69,9 +69,6 @@ CCE-85939-7
|
||||
CCE-85940-5
|
||||
CCE-85941-3
|
||||
CCE-85942-1
|
||||
-CCE-85943-9
|
||||
-CCE-85945-4
|
||||
-CCE-85946-2
|
||||
CCE-85947-0
|
||||
CCE-85948-8
|
||||
CCE-85949-6
|
||||
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
index f58bcf9..e235d49 100644
|
||||
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
@@ -1,5 +1,9 @@
|
||||
+title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
|
||||
description: Ensures PCI-DSS v3.2.1 security configuration settings are applied.
|
||||
-documentation_complete: true
|
||||
+extends: null
|
||||
+metadata:
|
||||
+ SMEs:
|
||||
+ - yuumasato
|
||||
reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
|
||||
selections:
|
||||
- account_disable_post_pw_expiration
|
||||
@@ -136,4 +141,8 @@ selections:
|
||||
- var_multiple_time_servers=rhel
|
||||
- var_sshd_set_keepalive=0
|
||||
- var_smartcard_drivers=cac
|
||||
-title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
|
||||
+platforms: !!set {}
|
||||
+cpe_names: !!set {}
|
||||
+platform: null
|
||||
+filter_rules: ''
|
||||
+documentation_complete: true
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 3b4b43a..1b4b955 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -332,6 +332,7 @@ selections:
|
||||
- service_systemd-coredump_disabled
|
||||
- service_usbguard_enabled
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
+- set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
- sshd_disable_compression
|
||||
- sshd_disable_empty_passwords
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 2e0e161..3568e07 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -343,6 +343,7 @@ selections:
|
||||
- service_systemd-coredump_disabled
|
||||
- service_usbguard_enabled
|
||||
- set_password_hashing_algorithm_logindefs
|
||||
+- set_password_hashing_algorithm_passwordauth
|
||||
- set_password_hashing_algorithm_systemauth
|
||||
- sshd_disable_compression
|
||||
- sshd_disable_empty_passwords
|
@ -0,0 +1,24 @@
|
||||
From 92b0f4069bced7d9e1e459db0799d7d2fb9faa59 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Wed, 9 Feb 2022 14:47:52 +0100
|
||||
Subject: [PATCH] Update ocil_clause of encrypt_partitions to exclude boot
|
||||
partition.
|
||||
|
||||
Boot partitions are not part of required partitions to be encrypted.
|
||||
---
|
||||
.../software/disk_partitioning/encrypt_partitions/rule.yml | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
index e9d25a34fbd..13231dc2cc9 100644
|
||||
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
@@ -90,6 +90,7 @@ ocil: |-
|
||||
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
|
||||
" TYPE="crypto_LUKS"</pre>
|
||||
<br /><br />
|
||||
- Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding.
|
||||
+ The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
|
||||
+ are not required to use disk encryption and are not a finding.
|
||||
|
||||
platform: machine
|
@ -0,0 +1,34 @@
|
||||
commit 35b2bc766287571aa1e826344730a41ae790c379
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri Feb 25 13:29:19 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_010287-PR_8051.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
index 729e478..caccb6c 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
|
||||
@@ -28,7 +28,7 @@ references:
|
||||
nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
|
||||
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13
|
||||
srg: SRG-OS-000250-GPOS-00093
|
||||
- stigid@rhel8: RHEL-08-010020
|
||||
+ stigid@rhel8: RHEL-08-010287
|
||||
|
||||
ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd'
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 6b9d799..5d03125 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -189,9 +189,7 @@ selections:
|
||||
# RHEL-08-010260
|
||||
- file_groupowner_var_log
|
||||
|
||||
- # *** SHARED *** #
|
||||
- # RHEL-08-010290 && RHEL-08-010291
|
||||
- # *** SHARED *** #
|
||||
+ # RHEL-08-010287
|
||||
- configure_ssh_crypto_policy
|
||||
|
||||
# RHEL-08-010290
|
@ -0,0 +1,189 @@
|
||||
From 133d331a04e1ba27324291006c65c2bfa467e49d Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 1 Feb 2022 16:54:16 +0100
|
||||
Subject: [PATCH 1/2] Update RHEL-08-010383 to require only one occurrence of a
|
||||
config.
|
||||
|
||||
The V1R5 release of RHEL8 STIG requires that the configuration should be
|
||||
present only in one configuration file to prevent any ordering problem
|
||||
when the modules loads the configuration using drop-in files that use
|
||||
the lexicographically order of file names.
|
||||
---
|
||||
.../sudo/sudoers_validate_passwd/ansible/shared.yml | 6 +++---
|
||||
.../sudo/sudoers_validate_passwd/oval/shared.xml | 12 ++++++------
|
||||
.../software/sudo/sudoers_validate_passwd/rule.yml | 3 ++-
|
||||
.../tests/sudoers_validate_passwd_duplicates.fail.sh | 7 +++++++
|
||||
4 files changed, 18 insertions(+), 10 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
index 08ffd76aed6..19673634fb3 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
@@ -4,6 +4,6 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
|
||||
-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
|
||||
-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
|
||||
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
|
||||
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
|
||||
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
||||
index 646e6bfb7c0..b3fadd53bee 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
||||
@@ -8,17 +8,17 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
id="test_sudoers_targetpw_config" version="1">
|
||||
<ind:object object_ref="object_test_sudoers_targetpw_config" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
id="test_sudoers_rootpw_config" version="1">
|
||||
<ind:object object_ref="object_test_sudoers_rootpw_config" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
||||
id="test_sudoers_runaspw_config" version="1">
|
||||
<ind:object object_ref="object_test_sudoers_runaspw_config" />
|
||||
</ind:textfilecontent54_test>
|
||||
@@ -26,19 +26,19 @@
|
||||
<ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
<ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
<ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
index ccc29b77d15..698021d8fd0 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
|
||||
ocil: |-
|
||||
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
|
||||
<pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
|
||||
- If no results are returned, this is a finding
|
||||
+ If no results are returned, this is a finding.
|
||||
+ If results are returned from more than one file location, this is a finding.
|
||||
If "Defaults !targetpw" is not defined, this is a finding.
|
||||
If "Defaults !rootpw" is not defined, this is a finding.
|
||||
If "Defaults !runaspw" is not defined, this is a finding.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..6247b5230e4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo 'Defaults !targetpw' >> /etc/sudoers
|
||||
+echo 'Defaults !rootpw' >> /etc/sudoers
|
||||
+echo 'Defaults !runaspw' >> /etc/sudoers
|
||||
+echo 'Defaults !runaspw' >> /etc/sudoers
|
||||
|
||||
From 315b248c77252fc3145cdf34fede98b1a32a7c04 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Wed, 9 Feb 2022 15:24:23 +0100
|
||||
Subject: [PATCH 2/2] Update remediations of sudoers_validate_passwd to remove
|
||||
duplicates.
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 20 +++++++++++++++++++
|
||||
.../sudoers_validate_passwd/bash/shared.sh | 12 +++++++++++
|
||||
.../tests/sudoers_d_duplicate.fail.sh | 9 +++++++++
|
||||
3 files changed, 41 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
index 19673634fb3..399ca1ea3ce 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
||||
@@ -4,6 +4,26 @@
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
|
||||
+{{%- macro delete_line_in_sudoers_d(line) %}}
|
||||
+- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
|
||||
+ find:
|
||||
+ path: "/etc/sudoers.d"
|
||||
+ patterns: "*"
|
||||
+ contains: '^{{{ line }}}$'
|
||||
+ register: sudoers_d_defaults
|
||||
+
|
||||
+- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
|
||||
+ lineinfile:
|
||||
+ path: "{{ item.path }}"
|
||||
+ regexp: "^{{{ line }}}$"
|
||||
+ state: absent
|
||||
+ with_items: "{{ sudoers_d_defaults.files }}"
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
|
||||
+
|
||||
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
|
||||
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
|
||||
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
||||
index ea0ac67fa1c..3b327f3fc88 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
||||
@@ -1,5 +1,17 @@
|
||||
# platform = multi_platform_all
|
||||
|
||||
+{{%- macro delete_line_in_sudoers_d(line) %}}
|
||||
+if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
|
||||
+ find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
|
||||
+fi
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
|
||||
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
|
||||
+
|
||||
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
||||
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
||||
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
||||
+
|
||||
+
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..a258d108a00
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
|
||||
+# packages = sudo
|
||||
+
|
||||
+echo 'Defaults !targetpw' >> /etc/sudoers
|
||||
+echo 'Defaults !rootpw' >> /etc/sudoers
|
||||
+echo 'Defaults !runaspw' >> /etc/sudoers
|
||||
+echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
|
||||
+echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
|
||||
+echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf
|
@ -0,0 +1,164 @@
|
||||
From 17320d95043eb6acec223c6b1fe40f04d58d184d Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Mon, 21 Mar 2022 14:55:11 +0100
|
||||
Subject: [PATCH] 8220.
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 36 +++++++++++++++++
|
||||
.../bash/shared.sh | 39 +++++++++++++++++++
|
||||
.../oval/shared.xml | 4 +-
|
||||
.../sudo_require_reauthentication/rule.yml | 14 +------
|
||||
.../tests/multiple_correct_value.fail.sh | 10 +++++
|
||||
5 files changed, 88 insertions(+), 15 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 0000000..b0c67a6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
||||
@@ -0,0 +1,36 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
|
||||
+- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated"
|
||||
+ find:
|
||||
+ path: "/etc/sudoers.d"
|
||||
+ patterns: "*"
|
||||
+ contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
|
||||
+ register: sudoers_d_defaults_timestamp_timeout
|
||||
+
|
||||
+- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
|
||||
+ lineinfile:
|
||||
+ path: "{{ item.path }}"
|
||||
+ regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
|
||||
+ state: absent
|
||||
+ with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
|
||||
+
|
||||
+- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
|
||||
+ lineinfile:
|
||||
+ path: /etc/sudoers
|
||||
+ regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$'
|
||||
+ line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
|
||||
+ validate: /usr/sbin/visudo -cf %s
|
||||
+ backrefs: yes
|
||||
+ register: edit_sudoers_timestamp_timeout_option
|
||||
+
|
||||
+- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
|
||||
+ lineinfile: # noqa 503
|
||||
+ path: /etc/sudoers
|
||||
+ line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
|
||||
+ validate: /usr/sbin/visudo -cf %s
|
||||
+ when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 0000000..f291f53
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
||||
@@ -0,0 +1,39 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = false
|
||||
+# strategy = restrict
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
+
|
||||
+. /usr/share/scap-security-guide/remediation_functions
|
||||
+
|
||||
+{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
|
||||
+
|
||||
+if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then
|
||||
+ find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \;
|
||||
+fi
|
||||
+
|
||||
+if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
+ cp /etc/sudoers /etc/sudoers.bak
|
||||
+ if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then
|
||||
+ # sudoers file doesn't define Option timestamp_timeout
|
||||
+ echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
|
||||
+ else
|
||||
+ # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
|
||||
+ if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then
|
||||
+
|
||||
+ sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ # Check validity of sudoers and cleanup bak
|
||||
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
+ rm -f /etc/sudoers.bak
|
||||
+ else
|
||||
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
|
||||
+ mv /etc/sudoers.bak /etc/sudoers
|
||||
+ false
|
||||
+ fi
|
||||
+else
|
||||
+ echo "Skipping remediation, /etc/sudoers failed to validate"
|
||||
+ false
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
||||
index 8f404ca..dfc319b 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
||||
@@ -6,13 +6,13 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
|
||||
<ind:object object_ref="obj_sudo_timestamp_timeout"/>
|
||||
<ind:state state_ref="state_sudo_timestamp_timeout" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
|
||||
- <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
||||
index 8622d6a..f7a14a8 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
||||
@@ -45,16 +45,4 @@ ocil: |-
|
||||
<pre>sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d</pre>
|
||||
The output should be:
|
||||
<pre>/etc/sudoers:Defaults timestamp_timeout=0</pre> or "timestamp_timeout" is set to a positive number.
|
||||
-
|
||||
-template:
|
||||
- name: sudo_defaults_option
|
||||
- vars:
|
||||
- option: timestamp_timeout
|
||||
- variable_name: "var_sudo_timestamp_timeout"
|
||||
- # optional minus char added so remediation can detect properly if item is already configured
|
||||
- option_regex_suffix: '=[-]?\w+\b'
|
||||
- backends:
|
||||
- # Template is not able to accomodate this particular check.
|
||||
- # It needs to check for an integer greater than or equal to zero
|
||||
- oval: "off"
|
||||
-
|
||||
+ If results are returned from more than one file location, this is a finding.
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..a258d66
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+
|
||||
+if grep -q 'timestamp_timeout' /etc/sudoers; then
|
||||
+ sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
|
||||
+else
|
||||
+ echo "Defaults timestamp_timeout=3" >> /etc/sudoers
|
||||
+fi
|
||||
+
|
||||
+echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,303 @@
|
||||
commit 36b22c1b5f2cf6bdbe346cbca9c185f75e5dc8e6
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon Feb 28 11:28:39 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_020041-PR_8146.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
||||
index 0c544bf..4519460 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
|
||||
@@ -1,7 +1,11 @@
|
||||
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
|
||||
+# reboot = true
|
||||
+# strategy = enable
|
||||
+# complexity = low
|
||||
+# disruption = low
|
||||
|
||||
if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
|
||||
- cat >> /etc/bashrc <<'EOF'
|
||||
+ cat >> /etc/profile.d/tmux.sh <<'EOF'
|
||||
if [ "$PS1" ]; then
|
||||
parent=$(ps -o ppid= -p $$)
|
||||
name=$(ps -o comm= -p $parent)
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
index 00ac349..4cb2f9e 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
|
||||
@@ -4,21 +4,27 @@
|
||||
<criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
|
||||
<criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
|
||||
test_ref="test_configure_bashrc_exec_tmux" />
|
||||
+ <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
|
||||
</criteria>
|
||||
</definition>
|
||||
- <ind:textfilecontent54_test check="only one" check_existence="only_one_exists"
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
comment="check tmux is configured to exec on the last line of /etc/bashrc"
|
||||
id="test_configure_bashrc_exec_tmux" version="1">
|
||||
<ind:object object_ref="obj_configure_bashrc_exec_tmux" />
|
||||
- <ind:state state_ref="state_configure_bashrc_exec_tmux" />
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="obj_configure_bashrc_exec_tmux" version="1">
|
||||
<ind:behaviors singleline="true" multiline="false" />
|
||||
- <ind:filepath>/etc/bashrc</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:filepath operation="pattern match">^/etc/bashrc$|^/etc/profile\.d/.*$</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
- <ind:textfilecontent54_state id="state_configure_bashrc_exec_tmux" version="1">
|
||||
- <ind:subexpression datatype="string" operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:subexpression>
|
||||
- </ind:textfilecontent54_state>
|
||||
+
|
||||
+ <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
|
||||
+ <unix:object object_ref="obj_tmux_running"/>
|
||||
+ </unix:process58_test>
|
||||
+
|
||||
+ <unix:process58_object id="obj_tmux_running" version="1">
|
||||
+ <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
|
||||
+ <unix:pid datatype="int" operation="greater than">0</unix:pid>
|
||||
+ </unix:process58_object>
|
||||
</def-group>
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
index c43b8cb..6be090b 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
|
||||
@@ -7,12 +7,20 @@ title: 'Support session locking with tmux'
|
||||
description: |-
|
||||
The <tt>tmux</tt> terminal multiplexer is used to implement
|
||||
automatic session locking. It should be started from
|
||||
- <tt>/etc/bashrc</tt>.
|
||||
+ <tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
|
||||
+ Additionally it must be ensured that the <tt>tmux</tt> process is running
|
||||
+ and it can be verified with the following command:
|
||||
+ <pre>ps all | grep tmux | grep -v grep</pre>
|
||||
|
||||
rationale: |-
|
||||
Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
|
||||
provides a mechanism to lock sessions after period of inactivity.
|
||||
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ The remediation does not start the tmux process, so it must be
|
||||
+ manually started or have the system rebooted after applying the fix.
|
||||
+
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
@@ -25,17 +33,21 @@ references:
|
||||
srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009
|
||||
stigid@rhel8: RHEL-08-020041
|
||||
|
||||
-ocil_clause: 'exec tmux is not present at the end of bashrc'
|
||||
+ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
|
||||
|
||||
ocil: |-
|
||||
To verify that tmux is configured to execute,
|
||||
run the following command:
|
||||
- <pre>$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc</pre>
|
||||
+ <pre>$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc /etc/profile.d/*</pre>
|
||||
The output should return the following:
|
||||
<pre>if [ "$PS1" ]; then
|
||||
parent=$(ps -o ppid= -p $$)
|
||||
name=$(ps -o comm= -p $parent)
|
||||
case "$name" in sshd|login) exec tmux ;; esac
|
||||
fi</pre>
|
||||
+ To verify that the tmux process is running,
|
||||
+ run the following command:
|
||||
+ <pre>ps all | grep tmux | grep -v grep</pre>
|
||||
+ If the command does not produce output, this is a finding.
|
||||
|
||||
platform: machine
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..221c186
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+
|
||||
+cat >> /etc/bashrc <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..1702bb1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+
|
||||
+
|
||||
+cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+tmux new-session -s root -d
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..1dc38b8
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.fail.sh
|
||||
@@ -0,0 +1,17 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+cat >> /etc/bashrc <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..6cb9d83
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+# remediation = none
|
||||
+
|
||||
+cat >> /etc/bashrc <<'EOF'
|
||||
+if [ "$PS1" ]; then
|
||||
+ parent=$(ps -o ppid= -p $$)
|
||||
+ name=$(ps -o comm= -p $parent)
|
||||
+ case "$name" in sshd|login) exec tmux ;; esac
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+killall tmux || true
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..f13a8b0
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,105 @@
|
||||
+#!/bin/bash
|
||||
+# packages = tmux
|
||||
+
|
||||
+cat > /etc/bashrc <<'EOF'
|
||||
+# /etc/bashrc
|
||||
+
|
||||
+# System wide functions and aliases
|
||||
+# Environment stuff goes in /etc/profile
|
||||
+
|
||||
+# It's NOT a good idea to change this file unless you know what you
|
||||
+# are doing. It's much better to create a custom.sh shell script in
|
||||
+# /etc/profile.d/ to make custom changes to your environment, as this
|
||||
+# will prevent the need for merging in future updates.
|
||||
+
|
||||
+# Prevent doublesourcing
|
||||
+if [ -z "$BASHRCSOURCED" ]; then
|
||||
+ BASHRCSOURCED="Y"
|
||||
+
|
||||
+ # are we an interactive shell?
|
||||
+ if [ "$PS1" ]; then
|
||||
+ if [ -z "$PROMPT_COMMAND" ]; then
|
||||
+ case $TERM in
|
||||
+ xterm*|vte*)
|
||||
+ if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
|
||||
+ PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
|
||||
+ elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then
|
||||
+ PROMPT_COMMAND="__vte_prompt_command"
|
||||
+ else
|
||||
+ PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
|
||||
+ fi
|
||||
+ ;;
|
||||
+ screen*)
|
||||
+ if [ -e /etc/sysconfig/bash-prompt-screen ]; then
|
||||
+ PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
|
||||
+ else
|
||||
+ PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
|
||||
+ fi
|
||||
+ ;;
|
||||
+ *)
|
||||
+ [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
|
||||
+ ;;
|
||||
+ esac
|
||||
+ fi
|
||||
+ # Turn on parallel history
|
||||
+ shopt -s histappend
|
||||
+ history -a
|
||||
+ # Turn on checkwinsize
|
||||
+ shopt -s checkwinsize
|
||||
+ [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
|
||||
+ # You might want to have e.g. tty in prompt (e.g. more virtual machines)
|
||||
+ # and console windows
|
||||
+ # If you want to do so, just add e.g.
|
||||
+ # if [ "$PS1" ]; then
|
||||
+ # PS1="[\u@\h:\l \W]\\$ "
|
||||
+ # fi
|
||||
+ # to your custom modification shell script in /etc/profile.d/ directory
|
||||
+ fi
|
||||
+
|
||||
+ if ! shopt -q login_shell ; then # We're not a login shell
|
||||
+ # Need to redefine pathmunge, it gets undefined at the end of /etc/profile
|
||||
+ pathmunge () {
|
||||
+ case ":${PATH}:" in
|
||||
+ *:"$1":*)
|
||||
+ ;;
|
||||
+ *)
|
||||
+ if [ "$2" = "after" ] ; then
|
||||
+ PATH=$PATH:$1
|
||||
+ else
|
||||
+ PATH=$1:$PATH
|
||||
+ fi
|
||||
+ esac
|
||||
+ }
|
||||
+
|
||||
+ # By default, we want umask to get set. This sets it for non-login shell.
|
||||
+ # Current threshold for system reserved uid/gids is 200
|
||||
+ # You could check uidgid reservation validity in
|
||||
+ # /usr/share/doc/setup-*/uidgid file
|
||||
+ if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
|
||||
+ umask 002
|
||||
+ else
|
||||
+ umask 022
|
||||
+ fi
|
||||
+
|
||||
+ SHELL=/bin/bash
|
||||
+ # Only display echos from profile.d scripts if we are no login shell
|
||||
+ # and interactive - otherwise just process them to set envvars
|
||||
+ for i in /etc/profile.d/*.sh; do
|
||||
+ if [ -r "$i" ]; then
|
||||
+ if [ "$PS1" ]; then
|
||||
+ . "$i"
|
||||
+ else
|
||||
+ . "$i" >/dev/null
|
||||
+ fi
|
||||
+ fi
|
||||
+ done
|
||||
+
|
||||
+ unset i
|
||||
+ unset -f pathmunge
|
||||
+ fi
|
||||
+
|
||||
+fi
|
||||
+# vim:ts=4:sw=4
|
||||
+EOF
|
||||
+
|
||||
+tmux new-session -s root -d
|
@ -0,0 +1,199 @@
|
||||
commit 8fe724cfa0f4cea726ddd7adb44cfbba0931b865
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon Feb 28 10:38:13 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-update_RHEL_08_040320-PR_8170.patch.
|
||||
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
|
||||
index 5b3afb3..67d6836 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/ansible/shared.yml
|
||||
@@ -14,12 +14,3 @@
|
||||
- xorg-x11-server-Xwayland
|
||||
{{% endif %}}
|
||||
state: absent
|
||||
-
|
||||
-
|
||||
-- name: Switch to multi-user runlevel
|
||||
- file:
|
||||
- src: /usr/lib/systemd/system/multi-user.target
|
||||
- dest: /etc/systemd/system/default.target
|
||||
- state: link
|
||||
- force: yes
|
||||
-
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
|
||||
index dbabe57..496dc74 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/bash/shared.sh
|
||||
@@ -12,6 +12,3 @@
|
||||
{{% if product not in ["rhel7", "ol7"] %}}
|
||||
{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
|
||||
{{% endif %}}
|
||||
-
|
||||
-# configure run level
|
||||
-systemctl set-default multi-user.target
|
||||
\ No newline at end of file
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
|
||||
index 0710efe..0868ec6 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/oval/shared.xml
|
||||
@@ -2,10 +2,6 @@
|
||||
<definition class="compliance" id="xwindows_remove_packages" version="1">
|
||||
{{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}}
|
||||
<criteria>
|
||||
- {{%- if init_system == "systemd" and target_oval_version != [5, 10] %}}
|
||||
- <extend_definition comment="system is configured to boot into multi-user.target"
|
||||
- definition_ref="xwindows_runlevel_target" />
|
||||
- {{%- endif %}}
|
||||
<criterion comment="package xorg-x11-server-Xorg is not installed"
|
||||
test_ref="package_xorg-x11-server-Xorg_removed" />
|
||||
<extend_definition comment="package xorg-x11-server-common is removed"
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
index 935766d..00ef7d8 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
@@ -66,5 +66,7 @@ warnings:
|
||||
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
|
||||
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
|
||||
which might bring your system to an inconsistent state requiring additional configuration to access the system
|
||||
- again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
|
||||
+ again.
|
||||
+ The rule <tt>xwindows_runlevel_target</tt> can be used to configure the system to boot into the multi-user.target.
|
||||
+ If a GUI is an operational requirement, a tailored profile that removes this rule should used before
|
||||
continuing installation.
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh
|
||||
deleted file mode 100644
|
||||
index 9bf62a4..0000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target.pass.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-
|
||||
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
||||
-
|
||||
-systemctl set-default multi-user.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh
|
||||
deleted file mode 100644
|
||||
index 4eeb697..0000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/correct_target_under_lib.pass.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-
|
||||
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
||||
-
|
||||
-ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..b3908cf
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+{{{ bash_package_install("xorg-x11-server-Xorg") }}}
|
||||
+{{{ bash_package_install("xorg-x11-server-utils") }}}
|
||||
+{{{ bash_package_install("xorg-x11-server-common") }}}
|
||||
+{{% if product not in ["rhel7", "ol7"] %}}
|
||||
+{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
|
||||
+{{% endif %}}
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..abafdbd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_installed_removed.pass.sh
|
||||
@@ -0,0 +1,16 @@
|
||||
+#!/bin/bash
|
||||
+# based on shared/templates/package_removed/tests/package-installed-removed.pass.sh
|
||||
+
|
||||
+{{{ bash_package_install("xorg-x11-server-Xorg") }}}
|
||||
+{{{ bash_package_install("xorg-x11-server-utils") }}}
|
||||
+{{{ bash_package_install("xorg-x11-server-common") }}}
|
||||
+{{% if product not in ["rhel7", "ol7"] %}}
|
||||
+{{{ bash_package_install("xorg-x11-server-Xwayland") }}}
|
||||
+{{% endif %}}
|
||||
+
|
||||
+{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-utils") }}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-common") }}}
|
||||
+{{% if product not in ["rhel7", "ol7"] %}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
|
||||
+{{% endif %}}
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..a403e10
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/packages_removed.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+{{{ bash_package_remove("xorg-x11-server-Xorg") }}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-utils") }}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-common") }}}
|
||||
+{{% if product not in ["rhel7", "ol7"] %}}
|
||||
+{{{ bash_package_remove("xorg-x11-server-Xwayland") }}}
|
||||
+{{% endif %}}
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index ff7d0ef..0000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_correct_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,4 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 7
|
||||
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils
|
||||
-
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index d8ecd8c..0000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel7_packages_installed_wrong_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 7
|
||||
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils
|
||||
-
|
||||
-systemctl set-default graphical.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index 14f1a97..0000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_correct_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,4 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils,xorg-x11-server-Xwayland
|
||||
-
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index c678ef7..0000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/rhel8_packages_installed_wrong_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
-# packages = xorg-x11-server-Xorg,xorg-x11-server-common,xorg-x11-server-utils,xorg-x11-server-Xwayland
|
||||
-
|
||||
-systemctl set-default graphical.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh
|
||||
deleted file mode 100644
|
||||
index bf8a615..0000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-
|
||||
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
||||
-
|
||||
-systemctl set-default graphical.target
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh
|
||||
deleted file mode 100644
|
||||
index 652088b..0000000
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/tests/wrong_target_under_lib.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-
|
||||
-yum -y remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
|
||||
-
|
||||
-ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target
|
1774
SOURCES/scap-security-guide-0.1.61-update_RHEL_08_STIG-PR_8139.patch
Normal file
1774
SOURCES/scap-security-guide-0.1.61-update_RHEL_08_STIG-PR_8139.patch
Normal file
File diff suppressed because one or more lines are too long
@ -0,0 +1,673 @@
|
||||
commit 94a680f9601fc2119c08fc6514712611d7f0d935
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri Feb 25 14:43:33 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
index 10203c9..3c9e460 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
||||
@@ -37,7 +37,7 @@ references:
|
||||
disa: CCI-001499
|
||||
nist: CM-5(6),CM-5(6).1
|
||||
srg: SRG-OS-000259-GPOS-00100
|
||||
- stigid@rhel8: RHEL-08-010350
|
||||
+ stigid@rhel8: RHEL-08-010351
|
||||
stigid@sle12: SLES-12-010876
|
||||
stigid@sle15: SLES-15-010356
|
||||
stigid@ubuntu2004: UBTU-20-010431
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
index 50fdb17..6a05a2b 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..6a05a2b
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ find "$dirPath" -type d -exec chgrp root '{}' \;
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..36461f5
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..3f09e3d
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
|
||||
@@ -0,0 +1,6 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
+
|
||||
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
+for dirPath in $DIRS; do
|
||||
+ mkdir -p "$dirPath/testme/test2" && chgrp nobody "$dirPath/testme/test2"
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
||||
index 043ad6b..36461f5 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
|
||||
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
index e236238..ba923d8 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
|
||||
@@ -27,7 +27,7 @@ references:
|
||||
srg: SRG-OS-000258-GPOS-00099
|
||||
stigid@ubuntu2004: UBTU-20-010424
|
||||
|
||||
-ocil_clause: 'any system exectables directories are found to not be owned by root'
|
||||
+ocil_clause: 'any system executables directories are found to not be owned by root'
|
||||
|
||||
ocil: |-
|
||||
System executables are stored in the following directories by default:
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index 28e193f..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,28 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="dir_ownership_library_dirs" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- directories therein, are owned by root.
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_dir_ownership_lib_dir" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="test_dir_ownership_lib_dir" version="1">
|
||||
- <unix:object object_ref="object_dir_ownership_lib_dir" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
-
|
||||
- <unix:file_object comment="library directories" id="object_dir_ownership_lib_dir" version="1">
|
||||
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- <filter action="include">state_owner_library_dirs_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="state_owner_library_dirs_not_root" version="1">
|
||||
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
|
||||
index d6a0bed..f0781b3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
|
||||
@@ -27,6 +27,8 @@ rationale: |-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
+ cce@rhel8: CCE-89021-0
|
||||
+ cce@rhel9: CCE-89022-8
|
||||
cce@sle12: CCE-83236-0
|
||||
cce@sle15: CCE-85735-9
|
||||
|
||||
@@ -34,6 +36,7 @@ references:
|
||||
disa: CCI-001499
|
||||
nist: CM-5(6),CM-5(6).1
|
||||
srg: SRG-OS-000259-GPOS-00100
|
||||
+ stigid@rhel8: RHEL-08-010341
|
||||
stigid@sle12: SLES-12-010874
|
||||
stigid@sle15: SLES-15-010354
|
||||
stigid@ubuntu2004: UBTU-20-010429
|
||||
@@ -49,3 +52,14 @@ ocil: |-
|
||||
For each of these directories, run the following command to find files not
|
||||
owned by root:
|
||||
<pre>$ sudo find -L <i>$DIR</i> ! -user root -type d -exec chown root {} \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ recursive: 'true'
|
||||
+ fileuid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
similarity index 69%
|
||||
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
index 0189166..a0d4990 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_rhel
|
||||
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
for dirPath in $DIRS; do
|
||||
find "$dirPath" -type d -exec chown root '{}' \;
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
similarity index 63%
|
||||
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
|
||||
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
index 59b8a18..f366c2d 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
-# platform = multi_platform_sle
|
||||
+# platform = multi_platform_sle,multi_platform_rhel
|
||||
+groupadd nogroup
|
||||
DIRS="/lib /lib64"
|
||||
for dirPath in $DIRS; do
|
||||
mkdir -p "$dirPath/testme" && chown nobody:nogroup "$dirPath/testme"
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
|
||||
index a0e4e24..add26b2 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
|
||||
@@ -1,8 +1,8 @@
|
||||
<def-group>
|
||||
<definition class="compliance" id="dir_permissions_library_dirs" version="1">
|
||||
{{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- objects therein, are not group-writable or world-writable.
|
||||
+ Checks that the directories /lib, /lib64, /usr/lib and /usr/lib64
|
||||
+ are not group-writable or world-writable.
|
||||
") }}}
|
||||
<criteria operator="AND">
|
||||
<criterion test_ref="dir_test_perms_lib_dir" />
|
||||
@@ -19,7 +19,7 @@
|
||||
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
|
||||
<unix:filename xsi:nil="true" />
|
||||
<filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter>
|
||||
- <filter action="exclude">dir_perms_state_symlink</filter>
|
||||
+ <filter action="exclude">dir_perms_state_nogroupwrite_noworldwrite_symlink</filter>
|
||||
</unix:file_object>
|
||||
|
||||
<unix:file_state id="dir_state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
|
||||
@@ -27,7 +27,7 @@
|
||||
<unix:owrite datatype="boolean">true</unix:owrite>
|
||||
</unix:file_state>
|
||||
|
||||
- <unix:file_state id="dir_perms_state_symlink" version="1">
|
||||
+ <unix:file_state id="dir_perms_state_nogroupwrite_noworldwrite_symlink" version="1">
|
||||
<unix:type operation="equals">symbolic link</unix:type>
|
||||
</unix:file_state>
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
index 853f8ac..558eaa7 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
|
||||
@@ -60,3 +60,14 @@ ocil: |-
|
||||
To find shared libraries that are group-writable or world-writable,
|
||||
run the following command for each directory <i>DIR</i> which contains shared libraries:
|
||||
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ recursive: 'true'
|
||||
+ filemode: '0755'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
|
||||
index 7168288..eec7485 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = medium
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
index a9e8c7d..e352dd3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
|
||||
+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
|
||||
do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
|
||||
deleted file mode 100644
|
||||
index de81a37..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
|
||||
+++ /dev/null
|
||||
@@ -1,18 +0,0 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
|
||||
-# reboot = false
|
||||
-# strategy = restrict
|
||||
-# complexity = medium
|
||||
-# disruption = medium
|
||||
-- name: "Read list libraries without root ownership"
|
||||
- command: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root"
|
||||
- register: libraries_not_owned_by_root
|
||||
- changed_when: False
|
||||
- failed_when: False
|
||||
- check_mode: no
|
||||
-
|
||||
-- name: "Set ownership of system libraries to root"
|
||||
- file:
|
||||
- path: "{{ item }}"
|
||||
- owner: "root"
|
||||
- with_items: "{{ libraries_not_owned_by_root.stdout_lines }}"
|
||||
- when: libraries_not_owned_by_root | length > 0
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
|
||||
deleted file mode 100644
|
||||
index c75167d..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
|
||||
+++ /dev/null
|
||||
@@ -1,8 +0,0 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
|
||||
-for LIBDIR in /usr/lib /usr/lib64 /lib /lib64
|
||||
-do
|
||||
- if [ -d $LIBDIR ]
|
||||
- then
|
||||
- find -L $LIBDIR \! -user root -exec chown root {} \;
|
||||
- fi
|
||||
-done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index 59ee3d8..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,39 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="file_ownership_library_dirs" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- objects therein, are owned by root.
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_ownership_lib_dir" />
|
||||
- <criterion test_ref="test_ownership_lib_files" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="test_ownership_lib_dir" version="1">
|
||||
- <unix:object object_ref="object_file_ownership_lib_dir" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library files uid root" id="test_ownership_lib_files" version="1">
|
||||
- <unix:object object_ref="object_file_ownership_lib_files" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="library directories" id="object_file_ownership_lib_dir" version="1">
|
||||
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- <filter action="include">state_owner_libraries_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_object comment="library files" id="object_file_ownership_lib_files" version="1">
|
||||
- <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
|
||||
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
- <filter action="include">state_owner_libraries_not_root</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="state_owner_libraries_not_root" version="1">
|
||||
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||||
index dfedd25..81089d3 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
|
||||
@@ -59,3 +59,14 @@ ocil: |-
|
||||
For each of these directories, run the following command to find files not
|
||||
owned by root:
|
||||
<pre>$ sudo find -L <i>$DIR</i> ! -user root -exec chown root {} \;</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_owner
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ file_regex: ^.*$
|
||||
+ fileuid: '0'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..92c6a08
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
+
|
||||
+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
||||
+do
|
||||
+ if [[ -d $SYSLIBDIRS ]]
|
||||
+ then
|
||||
+ find $SYSLIBDIRS ! -user root -type f -exec chown root '{}' \;
|
||||
+ fi
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..84da71f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
+
|
||||
+useradd user_test
|
||||
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
||||
+do
|
||||
+ if [[ ! -f $TESTFILE ]]
|
||||
+ then
|
||||
+ touch $TESTFILE
|
||||
+ fi
|
||||
+ chown user_test $TESTFILE
|
||||
+done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
|
||||
deleted file mode 100644
|
||||
index cf9eeba..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
|
||||
+++ /dev/null
|
||||
@@ -1,18 +0,0 @@
|
||||
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
|
||||
-# reboot = false
|
||||
-# strategy = restrict
|
||||
-# complexity = high
|
||||
-# disruption = medium
|
||||
-- name: "Read list of world and group writable files in libraries directories"
|
||||
- command: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f"
|
||||
- register: world_writable_library_files
|
||||
- changed_when: False
|
||||
- failed_when: False
|
||||
- check_mode: no
|
||||
-
|
||||
-- name: "Disable world/group writability to library files"
|
||||
- file:
|
||||
- path: "{{ item }}"
|
||||
- mode: "go-w"
|
||||
- with_items: "{{ world_writable_library_files.stdout_lines }}"
|
||||
- when: world_writable_library_files.stdout_lines | length > 0
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
|
||||
deleted file mode 100644
|
||||
index af04ad6..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-# platform = multi_platform_all
|
||||
-DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
||||
-for dirPath in $DIRS; do
|
||||
- find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \;
|
||||
-done
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
|
||||
deleted file mode 100644
|
||||
index f25c522..0000000
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
|
||||
+++ /dev/null
|
||||
@@ -1,46 +0,0 @@
|
||||
-<def-group>
|
||||
- <definition class="compliance" id="file_permissions_library_dirs" version="1">
|
||||
- {{{ oval_metadata("
|
||||
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
|
||||
- objects therein, are not group-writable or world-writable.
|
||||
- ") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion test_ref="test_perms_lib_dir" />
|
||||
- <criterion test_ref="test_perms_lib_files" />
|
||||
- </criteria>
|
||||
- </definition>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="test_perms_lib_dir" version="1">
|
||||
- <unix:object object_ref="object_file_permissions_lib_dir" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="test_perms_lib_files" version="1">
|
||||
- <unix:object object_ref="object_file_permissions_lib_files" />
|
||||
- </unix:file_test>
|
||||
-
|
||||
- <unix:file_object comment="library directories" id="object_file_permissions_lib_dir" version="1">
|
||||
- <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
|
||||
- <unix:filename xsi:nil="true" />
|
||||
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
|
||||
- <filter action="exclude">perms_state_symlink</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_object comment="library files" id="object_file_permissions_lib_files" version="1">
|
||||
- <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
|
||||
- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
|
||||
- <unix:filename operation="pattern match">^.*$</unix:filename>
|
||||
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
|
||||
- <filter action="exclude">perms_state_symlink</filter>
|
||||
- </unix:file_object>
|
||||
-
|
||||
- <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
|
||||
- <unix:gwrite datatype="boolean">true</unix:gwrite>
|
||||
- <unix:owrite datatype="boolean">true</unix:owrite>
|
||||
- </unix:file_state>
|
||||
-
|
||||
- <unix:file_state id="perms_state_symlink" version="1">
|
||||
- <unix:type operation="equals">symbolic link</unix:type>
|
||||
- </unix:file_state>
|
||||
-
|
||||
-</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||||
index 902d8b5..e9afb91 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
|
||||
@@ -60,3 +60,14 @@ ocil: |-
|
||||
To find shared libraries that are group-writable or world-writable,
|
||||
run the following command for each directory <i>DIR</i> which contains shared libraries:
|
||||
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type f</pre>
|
||||
+
|
||||
+template:
|
||||
+ name: file_permissions
|
||||
+ vars:
|
||||
+ filepath:
|
||||
+ - /lib/
|
||||
+ - /lib64/
|
||||
+ - /usr/lib/
|
||||
+ - /usr/lib64/
|
||||
+ file_regex: ^.*$
|
||||
+ filemode: '0755'
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
|
||||
similarity index 100%
|
||||
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
|
||||
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
index 3b983de..3a1e5ba 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
||||
@@ -4,7 +4,7 @@ prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
|
||||
|
||||
title: |-
|
||||
Verify the system-wide library files in directories
|
||||
- "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root.
|
||||
+ "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
|
||||
|
||||
description: |-
|
||||
System-wide library files are stored in the following directories
|
||||
@@ -15,7 +15,7 @@ description: |-
|
||||
/usr/lib64
|
||||
</pre>
|
||||
All system-wide shared library files should be protected from unauthorised
|
||||
- access. If any of these files is not owned by root, correct its owner with
|
||||
+ access. If any of these files is not group-owned by root, correct its group-owner with
|
||||
the following command:
|
||||
<pre>$ sudo chgrp root <i>FILE</i></pre>
|
||||
|
||||
@@ -46,7 +46,7 @@ references:
|
||||
stigid@sle15: SLES-15-010355
|
||||
stigid@ubuntu2004: UBTU-20-01430
|
||||
|
||||
-ocil_clause: 'system wide library files are not group owned by root'
|
||||
+ocil_clause: 'system wide library files are not group-owned by root'
|
||||
|
||||
ocil: |-
|
||||
System-wide library files are stored in the following directories:
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
index a4ae285..5356d37 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
||||
do
|
||||
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
index c96f65b..9636acf 100644
|
||||
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
||||
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
|
||||
|
||||
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
||||
do
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index d6f0793..5b2cc0f 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -233,8 +233,13 @@ selections:
|
||||
# RHEL-08-010340
|
||||
- file_ownership_library_dirs
|
||||
|
||||
+ # RHEL-08-010341
|
||||
+ - dir_ownership_library_dirs
|
||||
+
|
||||
# RHEL-08-010350
|
||||
- root_permissions_syslibrary_files
|
||||
+
|
||||
+ # RHEL-08-010351
|
||||
- dir_group_ownership_library_dirs
|
||||
|
||||
# RHEL-08-010359
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index d8daeb3..0584677 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -3074,8 +3074,6 @@ CCE-89017-8
|
||||
CCE-89018-6
|
||||
CCE-89019-4
|
||||
CCE-89020-2
|
||||
-CCE-89021-0
|
||||
-CCE-89022-8
|
||||
CCE-89023-6
|
||||
CCE-89024-4
|
||||
CCE-89025-1
|
||||
diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template
|
||||
index 68fc2e1..0b4ab59 100644
|
||||
--- a/shared/templates/file_groupowner/ansible.template
|
||||
+++ b/shared/templates/file_groupowner/ansible.template
|
||||
@@ -12,6 +12,7 @@
|
||||
paths: "{{{ path }}}"
|
||||
patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
+ hidden: yes
|
||||
register: files_found
|
||||
|
||||
- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
|
||||
diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template
|
||||
index fd2e5db..64a4944 100644
|
||||
--- a/shared/templates/file_groupowner/oval.template
|
||||
+++ b/shared/templates/file_groupowner/oval.template
|
||||
@@ -45,6 +45,10 @@
|
||||
{{%- else %}}
|
||||
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
|
||||
{{%- endif %}}
|
||||
+ <filter action="exclude">symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}</filter>
|
||||
</unix:file_object>
|
||||
{{% endfor %}}
|
||||
+ <unix:file_state id="symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" version="1">
|
||||
+ <unix:type operation="equals">symbolic link</unix:type>
|
||||
+ </unix:file_state>
|
||||
</def-group>
|
||||
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
|
||||
index 590c9fc..dba9e65 100644
|
||||
--- a/shared/templates/file_owner/ansible.template
|
||||
+++ b/shared/templates/file_owner/ansible.template
|
||||
@@ -12,6 +12,7 @@
|
||||
paths: "{{{ path }}}"
|
||||
patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
+ hidden: yes
|
||||
register: files_found
|
||||
|
||||
- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
|
||||
diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
|
||||
index 105e29c..777831d 100644
|
||||
--- a/shared/templates/file_owner/oval.template
|
||||
+++ b/shared/templates/file_owner/oval.template
|
||||
@@ -44,6 +44,10 @@
|
||||
{{%- else %}}
|
||||
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
|
||||
{{%- endif %}}
|
||||
+ <filter action="exclude">symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}</filter>
|
||||
</unix:file_object>
|
||||
{{% endfor %}}
|
||||
+ <unix:file_state id="symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" version="1">
|
||||
+ <unix:type operation="equals">symbolic link</unix:type>
|
||||
+ </unix:file_state>
|
||||
</def-group>
|
||||
diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template
|
||||
index fc211bd..6d4dedc 100644
|
||||
--- a/shared/templates/file_permissions/ansible.template
|
||||
+++ b/shared/templates/file_permissions/ansible.template
|
||||
@@ -12,6 +12,7 @@
|
||||
paths: "{{{ path }}}"
|
||||
patterns: {{{ FILE_REGEX[loop.index0] }}}
|
||||
use_regex: yes
|
||||
+ hidden: yes
|
||||
register: files_found
|
||||
|
||||
- name: Set permissions for {{{ path }}} file(s)
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 1b4b955..c2522c9 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -175,6 +175,7 @@ selections:
|
||||
- dconf_gnome_screensaver_idle_delay
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dir_group_ownership_library_dirs
|
||||
+- dir_ownership_library_dirs
|
||||
- dir_permissions_library_dirs
|
||||
- dir_perms_world_writable_root_owned
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 3568e07..95d87fd 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -186,6 +186,7 @@ selections:
|
||||
- dconf_gnome_screensaver_idle_delay
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dir_group_ownership_library_dirs
|
||||
+- dir_ownership_library_dirs
|
||||
- dir_permissions_library_dirs
|
||||
- dir_perms_world_writable_root_owned
|
||||
- dir_perms_world_writable_sticky_bits
|
@ -0,0 +1,137 @@
|
||||
commit 11140ac5d67f256a7d3c8fdac9eca73c007dabb8
|
||||
Author: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon Feb 28 11:04:30 2022 +0100
|
||||
|
||||
Manual edited patch scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch.
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||||
index 1d53a71..2e47e16 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
||||
@@ -46,7 +46,7 @@ ocil_clause: 'that is not the case'
|
||||
ocil: |-
|
||||
To check the value for maximum consecutive repeating characters, run the following command:
|
||||
<pre>$ grep maxclassrepeat /etc/security/pwquality.conf</pre>
|
||||
- For DoD systems, the output should show <tt>maxclassrepeat</tt>=4.
|
||||
+ For DoD systems, the output should show <tt>maxclassrepeat</tt>=4 or less but greater than zero.
|
||||
|
||||
platform: pam
|
||||
|
||||
@@ -55,3 +55,4 @@ template:
|
||||
vars:
|
||||
variable: maxclassrepeat
|
||||
operation: less than or equal
|
||||
+ zero_comparison_operation: greater than
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..5d91559
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 4/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = 4" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
+
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
|
||||
new file mode 100644
|
||||
index 0000000..4bd8070
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/correct_value_less_than_variable.pass.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 2/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = 2" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
+
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..61538a4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/negative_value.fail.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = -1/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = -1" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..2218250
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 5/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = 5" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
+
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
|
||||
new file mode 100644
|
||||
index 0000000..780873c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/tests/wrong_value_0.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+if grep -q 'maxclassrepeat' /etc/security/pwquality.conf; then
|
||||
+ sed -i 's/.*maxclassrepeat.*/maxclassrepeat = 0/' /etc/security/pwquality.conf
|
||||
+else
|
||||
+ echo "maxclassrepeat = 0" >> /etc/security/pwquality.conf
|
||||
+fi
|
||||
+
|
||||
diff --git a/shared/templates/accounts_password/oval.template b/shared/templates/accounts_password/oval.template
|
||||
index 332a280..b995db1 100644
|
||||
--- a/shared/templates/accounts_password/oval.template
|
||||
+++ b/shared/templates/accounts_password/oval.template
|
||||
@@ -7,11 +7,14 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test check="all"
|
||||
+ <ind:textfilecontent54_test check="all" state_operator="AND"
|
||||
comment="check the configuration of /etc/security/pwquality.conf"
|
||||
id="test_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
|
||||
<ind:object object_ref="obj_password_pam_pwquality_{{{ VARIABLE }}}" />
|
||||
<ind:state state_ref="state_password_pam_{{{ VARIABLE }}}" />
|
||||
+ {{%- if ZERO_COMPARISON_OPERATION %}}
|
||||
+ <ind:state state_ref="state_password_pam_{{{ VARIABLE }}}_zero_comparison" />
|
||||
+ {{%- endif %}}
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
<ind:textfilecontent54_object id="obj_password_pam_pwquality_{{{ VARIABLE }}}" version="3">
|
||||
@@ -24,5 +27,11 @@
|
||||
<ind:subexpression datatype="int" operation="{{{ OPERATION }}}" var_ref="var_password_pam_{{{ VARIABLE }}}" />
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
+ {{%- if ZERO_COMPARISON_OPERATION %}}
|
||||
+ <ind:textfilecontent54_state id="state_password_pam_{{{ VARIABLE }}}_zero_comparison" version="1">
|
||||
+ <ind:subexpression datatype="int" operation="{{{ ZERO_COMPARISON_OPERATION }}}" >0</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+ {{%- endif %}}
|
||||
+
|
||||
<external_variable comment="External variable for pam_{{{ VARIABLE }}}" datatype="int" id="var_password_pam_{{{ VARIABLE }}}" version="3" />
|
||||
</def-group>
|
||||
diff --git a/shared/templates/accounts_password/template.py b/shared/templates/accounts_password/template.py
|
||||
index 65c25ec..ab849d1 100644
|
||||
--- a/shared/templates/accounts_password/template.py
|
||||
+++ b/shared/templates/accounts_password/template.py
|
||||
@@ -1,4 +1,7 @@
|
||||
+from ssg.utils import parse_template_boolean_value
|
||||
+
|
||||
def preprocess(data, lang):
|
||||
if lang == "oval":
|
||||
data["sign"] = "-?" if data["variable"].endswith("credit") else ""
|
||||
+ data["zero_comparison_operation"] = data.get("zero_comparison_operation", None)
|
||||
return data
|
@ -5,7 +5,7 @@
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.57
|
||||
Release: 5%{?dist}.alma
|
||||
Release: 9%{?dist}.alma
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
@ -76,6 +76,49 @@ Patch53: scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch
|
||||
Patch54: scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch
|
||||
Patch55: scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch
|
||||
Patch56: scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch
|
||||
Patch57: scap-security-guide-0.1.58-RHEL_08_010400-PR_7411.patch
|
||||
Patch58: scap-security-guide-0.1.58-BZ_1942281-PR_7471.patch
|
||||
Patch59: scap-security-guide-0.1.59-add_missing_stig_ids-PR_7597.patch
|
||||
Patch60: scap-security-guide-0.1.59-fix_6844-PR_7673.patch
|
||||
Patch61: scap-security-guide-0.1.59-fix_7333-PR_7692.patch
|
||||
Patch62: scap-security-guide-0.1.59-sshd_priv_keys_600-PR_7742.patch
|
||||
Patch63: scap-security-guide-0.1.59-BZ1884687-PR_7770.patch
|
||||
Patch64: scap-security-guide-0.1.59-BZ1884687D-PR_7837.patch
|
||||
Patch65: scap-security-guide-0.1.59-BZ1884687C-PR_7824.patch
|
||||
Patch66: scap-security-guide-0.1.59-BZ1884687B-PR_7790.patch
|
||||
Patch67: scap-security-guide-0.1.60-rhel8_stig_v1r4-PR_7930.patch
|
||||
Patch68: scap-security-guide-0.1.60-sysctl_d_directories-PR_7999.patch
|
||||
Patch69: scap-security-guide-0.1.60-rhel9_stig_grub-PR_7931.patch
|
||||
Patch70: scap-security-guide-0.1.59-multifile_templates-PR_7405.patch
|
||||
Patch71: scap-security-guide-0.1.61-file_groupowner-PR_7791.patch
|
||||
Patch72: scap-security-guide-0.1.61-file_owner-PR_7789.patch
|
||||
Patch73: scap-security-guide-0.1.61-file_permissions-PR_7788.patch
|
||||
Patch74: scap-security-guide-0.1.61-update_RHEL_08_010287-PR_8051.patch
|
||||
Patch75: scap-security-guide-0.1.61-add_RHEL_08_010331-PR_8055.patch
|
||||
Patch76: scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch
|
||||
Patch77: scap-security-guide-0.1.61-add_RHEL_08_010359-PR_8131.patch
|
||||
Patch78: scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch
|
||||
Patch79: scap-security-guide-0.1.61-update_RHEL_08_STIG-PR_8139.patch
|
||||
Patch80: scap-security-guide-0.1.61-add_RHEL_08_040321-PR_8169.patch
|
||||
Patch81: scap-security-guide-0.1.61-add_RHEL_08_020221-PR_8173.patch
|
||||
Patch82: scap-security-guide-0.1.61-update_RHEL_08_040320-PR_8170.patch
|
||||
Patch83: scap-security-guide-0.1.61-rhel8_stig_audit_rules-PR_8174.patch
|
||||
Patch84: scap-security-guide-0.1.61-update_RHEL_08_010030-PR_8183.patch
|
||||
Patch85: scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch
|
||||
Patch86: scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch
|
||||
Patch87: scap-security-guide-0.1.61-remove_client_alive_max-PR_8197.patch
|
||||
Patch88: scap-security-guide-0.1.61-update_RHEL_08_020041-PR_8146.patch
|
||||
Patch89: scap-security-guide-0.1.61-no_time_servers_chrony-PR_8187.patch
|
||||
Patch90: scap-security-guide-0.1.61-update_RHEL_08_010385-PR_8220.patch
|
||||
Patch91: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
|
||||
Patch92: scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch
|
||||
Patch93: scap-security-guide-0.1.58-templated_tests-PR_7211.patch
|
||||
Patch94: reorder-reference-in-alphabetical-order.patch
|
||||
Patch95: scap-security-guide-0.1.59-fix_accounts_umask_interactive_users-PR_7898.patch
|
||||
Patch96: scap-security-guide-0.1.58-fix_rsyslog_streamdriver_remediation_typos-PR_7570.patch
|
||||
Patch97: scap-security-guide-0.1.59-rsyslog_encrypt_offload_fix_7741-PR_7755.patch
|
||||
Patch98: scap-security-guide-0.1.58-ansible_disable_ctrlaltdel_reboot-PR_7571.patch
|
||||
Patch99: scap-security-guide-0.1.60-address_pool_directives_maxpoll_rule-PR_7910.patch
|
||||
|
||||
# AlmaLinux patches
|
||||
Patch1001: 0001-Add-AlmaLinux-8-support.patch
|
||||
@ -174,9 +217,21 @@ cd build
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
|
||||
%changelog
|
||||
* Tue Nov 09 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.57-5.alma
|
||||
* Tue Apr 26 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.57-9.alma
|
||||
- Add AlmaLinux support
|
||||
|
||||
* Thu Mar 24 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-9
|
||||
- Add missing updates to RHEL8 STIG profile version V1R5 (RHBZ#2059876)
|
||||
|
||||
* Wed Mar 23 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-8
|
||||
- Add missing updates to RHEL8 STIG profile version V1R5 (RHBZ#2059876)
|
||||
|
||||
* Mon Mar 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-7
|
||||
- Add missing updates to RHEL8 STIG profile version V1R5 (RHBZ#2059876)
|
||||
|
||||
* Thu Feb 24 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-6
|
||||
- Update RHEL8 STIG profile to V1R5 (RHBZ#2059876)
|
||||
|
||||
* Thu Sep 02 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
|
||||
- Add USB HID rules to the ISM profile, so it is usable after the installation (RHBZ#1999423).
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user