Add rsyslog rainer support and rebase fixes

Resolves: rhbz#2169443 Resolves: rhbz#2169441 Resolves: rhbz#2169445
2023-02-13 17:52:36 +01:00 · 2023-02-13 17:52:36 +01:00 · 5e6a5eeb83
commit 5e6a5eeb83
parent b734798dc6
6 changed files with 5487 additions and 0 deletions
--- a/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
+++ b/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
@ -0,0 +1,106 @@
 From a8cea205d5f9f975ca03ef39e79d18698236cfe2 Mon Sep 17 00:00:00 2001
 From: Watson Sato <wsato@redhat.com>
 Date: Mon, 13 Feb 2023 17:49:14 +0100
 Subject: [PATCH 3/5] Change custom zones check in firewalld_sshd_port_enabled
 Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
 Patch-status: Change custom zones check in firewalld_sshd_port_enabled
 ---
 .../oval/shared.xml                           | 68 +++++++++++++++----
 1 file changed, 54 insertions(+), 14 deletions(-)
 diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
 index 4adef2e53f..d7c96665b4 100644
 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
 +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
@@ -133,9 +133,10 @@
          OVAL resources in order to detect and assess only active zone, which are zones with at
          least one NIC assigned to it. Since it was possible to easily have the list of active
          zones, it was cumbersome to use that list in other OVAL objects without introduce a high
 -         level of complexity to make sure environments with multiple NICs and multiple zones are
 -         in use. So, in favor of simplicity and readbility it was decided to work with a static
 -         list. It means that, in the future, it is possible this list needs to be updated. -->
 +         level of complexity to ensure proper assessment in environments where multiple NICs and
 +         multiple zones are in use. So, in favor of simplicity and readbility it was decided to
 +         work with a static list. It means that, in the future, it is possible this list needs to
 +         be updated. -->
     <local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
         datatype="string"
         comment="Regex containing the list of zones files delivered in the firewalld package">
@@ -145,23 +146,62 @@
     <!-- If any default zone is modified by the administrator, the respective zone file is placed
          in the /etc/firewalld/zones dir in order to override the default zone settings. The same
          directory is applicable for new zones created by the administrator. Therefore, all files
 -         in this directory should also allow SSH. -->
 -    <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
 +         in this directory should also allow SSH.
 +         This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
 +         which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
 +         variable test is the simplest way to check if all custom zones are allowing ssh, but have
 +         an impact in transparency since the objects are not shown in reports. The transparency
 +         impact can be workarounded by using other OVAL objects, but this would impact in
 +         readability and would increase complexity. This solution is in favor of simplicity. -->
 +    <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
         check="all" check_existence="at_least_one_exists" version="1"
         comment="SSH service is defined in all zones created or modified by the administrator">
 -      <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
 -      <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
 -    </ind:xmlfilecontent_test>
 +        <ind:object
 +            object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
 +        <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
 +    </ind:variable_test>
 +
 +    <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
 +        version="1">
 +      <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
 +    </ind:variable_object>
 +
 +    <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
 +        datatype="int" version="1"
 +        comment="Variable including number of custom zone files allowing ssh">
 +        <count>
 +            <object_component item_field="filepath"
 +                object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
 +        </count>
 +    </local_variable>
     <ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
 -      <ind:path>/etc/firewalld/zones</ind:path>
 -      <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
 -      <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
 +        <ind:path>/etc/firewalld/zones</ind:path>
 +        <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
 +        <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
     </ind:xmlfilecontent_object>
 -    <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
 -      <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
 -    </ind:xmlfilecontent_state>
 +    <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
 +        version="1">
 +        <ind:value datatype="int" operation="equals" var_check="at least one"
 +            var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
 +    </ind:variable_state>
 +
 +    <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
 +        datatype="int" version="1"
 +        comment="Variable including number of custom zone files present in /etc/firewalld/zones">
 +        <count>
 +            <object_component item_field="filepath"
 +                object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
 +        </count>
 +    </local_variable>
 +
 +    <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
 +        <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
 +            recurse_file_system="local"/>
 +        <unix:path>/etc/firewalld/zones</unix:path>
 +        <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
 +    </unix:file_object>
     <!-- SSH service is configured as expected -->
     <!-- The firewalld package brings many services already defined out-of-box, including SSH.
 -- 
 2.39.1
--- a/scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
+++ b/scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
@ -0,0 +1,122 @@
 From 25216f8eb9caa6e783322158967b689e8bd784e7 Mon Sep 17 00:00:00 2001
 From: Watson Sato <wsato@redhat.com>
 Date: Mon, 13 Feb 2023 17:49:14 +0100
 Subject: [PATCH 4/5] Accept required and requisite control flag for
 pam_pwhistory
 Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
 Patch-status: Accept required and requisite control flag for pam_pwhistory
 ---
 controls/cis_rhel8.yml                                        | 2 +-
 controls/cis_rhel9.yml                                        | 2 +-
 controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml                | 2 +-
 .../rule.yml                                                  | 4 ++++
 .../var_password_pam_remember_control_flag.var                | 1 +
 products/rhel8/profiles/stig.profile                          | 2 +-
 tests/data/profile_stability/rhel8/stig.profile               | 2 +-
 tests/data/profile_stability/rhel8/stig_gui.profile           | 2 +-
 8 files changed, 11 insertions(+), 6 deletions(-)
 diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
 index c0406f97b8..efc53d03fd 100644
 --- a/controls/cis_rhel8.yml
 +++ b/controls/cis_rhel8.yml
@@ -2267,7 +2267,7 @@ controls:
     rules:
       - accounts_password_pam_pwhistory_remember_password_auth
       - accounts_password_pam_pwhistory_remember_system_auth
 -      - var_password_pam_remember_control_flag=requisite
 +      - var_password_pam_remember_control_flag=requisite_or_required
       - var_password_pam_remember=5
   - id: 5.5.4
 diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
 index 7299a39528..30f7e8d182 100644
 --- a/controls/cis_rhel9.yml
 +++ b/controls/cis_rhel9.yml
@@ -2112,7 +2112,7 @@ controls:
     rules:
       - accounts_password_pam_pwhistory_remember_password_auth
       - accounts_password_pam_pwhistory_remember_system_auth
 -      - var_password_pam_remember_control_flag=requisite
 +      - var_password_pam_remember_control_flag=requisite_or_required
       - var_password_pam_remember=5
   - id: 5.5.4
 diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
 index 1e8286a4a4..b02b7da419 100644
 --- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
 +++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
@@ -5,7 +5,7 @@ controls:
         title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
         rules:
             - var_password_pam_remember=5
 -            - var_password_pam_remember_control_flag=requisite
 +            - var_password_pam_remember_control_flag=requisite_or_required
             - accounts_password_pam_pwhistory_remember_password_auth
             - accounts_password_pam_pwhistory_remember_system_auth
         status: automated
 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
 index c549de2e96..d2b220ef9f 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
 +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -129,3 +129,7 @@ warnings:
        Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
        enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
        system, an authselect custom profile must be used to avoid integrity issues in PAM files.
 +       If a custom profile was created and used in the system before this authselect feature was
 +       available, the new feature can't be used with this custom profile and the
 +       remediation will fail. In this case, the custom profile should be recreated or manually
 +       updated.
 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
 index 8f01007550..1959936c04 100644
 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
 +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
@@ -20,4 +20,5 @@ options:
     "sufficient": "sufficient"
     "binding": "binding"
     "ol8": "required,requisite"
 +    "requisite_or_required": "requisite,required"
     default: "requisite"
 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
 index 8c64868619..a3f7dc9720 100644
 --- a/products/rhel8/profiles/stig.profile
 +++ b/products/rhel8/profiles/stig.profile
@@ -37,7 +37,7 @@ selections:
     - var_accounts_minimum_age_login_defs=1
     - var_accounts_max_concurrent_login_sessions=10
     - var_password_pam_remember=5
 -    - var_password_pam_remember_control_flag=requisite
 +    - var_password_pam_remember_control_flag=requisite_or_required
     - var_selinux_state=enforcing
     - var_selinux_policy_name=targeted
     - var_password_pam_unix_rounds=5000
 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
 index 6970a32b4f..5d694c6ae1 100644
 --- a/tests/data/profile_stability/rhel8/stig.profile
 +++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -433,7 +433,7 @@ selections:
 - var_accounts_minimum_age_login_defs=1
 - var_accounts_max_concurrent_login_sessions=10
 - var_password_pam_remember=5
 -- var_password_pam_remember_control_flag=requisite
 +- var_password_pam_remember_control_flag=requisite_or_required
 - var_selinux_state=enforcing
 - var_selinux_policy_name=targeted
 - var_password_pam_unix_rounds=5000
 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
 index 314f14e4f6..e165525b90 100644
 --- a/tests/data/profile_stability/rhel8/stig_gui.profile
 +++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -441,7 +441,7 @@ selections:
 - var_accounts_minimum_age_login_defs=1
 - var_accounts_max_concurrent_login_sessions=10
 - var_password_pam_remember=5
 -- var_password_pam_remember_control_flag=requisite
 +- var_password_pam_remember_control_flag=requisite_or_required
 - var_selinux_state=enforcing
 - var_selinux_policy_name=targeted
 - var_password_pam_unix_rounds=5000
 -- 
 2.39.1
--- a/scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
+++ b/scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
@ -0,0 +1,147 @@
 From 2bfdf9fa7e8309b079e657460671818e77b9a233 Mon Sep 17 00:00:00 2001
 From: Watson Sato <wsato@redhat.com>
 Date: Mon, 13 Feb 2023 17:49:15 +0100
 Subject: [PATCH 5/5] remove rule logind_session_timeout and associated
 variable from profiles
 Patch-name: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
 Patch-status: remove rule logind_session_timeout and associated variable from profiles
 ---
 controls/anssi.yml                                 | 2 --
 products/rhel8/profiles/cjis.profile               | 2 --
 products/rhel8/profiles/ospp.profile               | 2 --
 products/rhel8/profiles/pci-dss.profile            | 2 --
 products/rhel8/profiles/rht-ccp.profile            | 2 --
 tests/data/profile_stability/rhel8/ospp.profile    | 2 --
 tests/data/profile_stability/rhel8/pci-dss.profile | 2 --
 7 files changed, 14 deletions(-)
 diff --git a/controls/anssi.yml b/controls/anssi.yml
 index 607ce976ef..9e631d1de4 100644
 --- a/controls/anssi.yml
 +++ b/controls/anssi.yml
@@ -676,8 +676,6 @@ controls:
     - var_accounts_tmout=10_min
     - sshd_set_idle_timeout
     - sshd_idle_timeout_value=10_minutes
 -    - logind_session_timeout
 -    - var_logind_session_timeout=10_minutes
     - sshd_set_keepalive
   - id: R30
 diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
 index 22ae5aac72..30843b692e 100644
 --- a/products/rhel8/profiles/cjis.profile
 +++ b/products/rhel8/profiles/cjis.profile
@@ -104,7 +104,6 @@ selections:
     - sshd_allow_only_protocol2
     - sshd_set_idle_timeout
     - var_sshd_set_keepalive=0
 -    - logind_session_timeout
     - sshd_set_keepalive_0
     - disable_host_auth
     - sshd_disable_root_login
@@ -120,7 +119,6 @@ selections:
     - set_firewalld_default_zone
     - firewalld_sshd_port_enabled
     - sshd_idle_timeout_value=30_minutes
 -    - var_logind_session_timeout=30_minutes
     - inactivity_timeout_value=30_minutes
     - sysctl_net_ipv4_conf_default_accept_source_route
     - sysctl_net_ipv4_tcp_syncookies
 diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
 index 0fe17b2085..fb46ab4c0c 100644
 --- a/products/rhel8/profiles/ospp.profile
 +++ b/products/rhel8/profiles/ospp.profile
@@ -300,8 +300,6 @@ selections:
     ## We deliberately set sshd timeout to 1 minute before tmux lock timeout
     - sshd_idle_timeout_value=14_minutes
     - sshd_set_idle_timeout
 -    - logind_session_timeout
 -    - var_logind_session_timeout=14_minutes
     ## Disable Unauthenticated Login (such as Guest Accounts)
     ## FIA_UAU.1
 diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
 index c63c5f4a07..c0c9b12773 100644
 --- a/products/rhel8/profiles/pci-dss.profile
 +++ b/products/rhel8/profiles/pci-dss.profile
@@ -17,7 +17,6 @@ selections:
     - var_accounts_passwords_pam_faillock_deny=6
     - var_accounts_passwords_pam_faillock_unlock_time=1800
     - sshd_idle_timeout_value=15_minutes
 -    - var_logind_session_timeout=15_minutes
     - var_password_pam_minlen=7
     - var_password_pam_minclass=2
     - var_accounts_maximum_age_login_defs=90
@@ -110,7 +109,6 @@ selections:
     - dconf_gnome_screensaver_lock_enabled
     - dconf_gnome_screensaver_mode_blank
     - sshd_set_idle_timeout
 -    - logind_session_timeout
     - var_sshd_set_keepalive=0
     - sshd_set_keepalive_0
     - accounts_password_pam_minlen
 diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
 index 6856951bff..01133a9bde 100644
 --- a/products/rhel8/profiles/rht-ccp.profile
 +++ b/products/rhel8/profiles/rht-ccp.profile
@@ -12,7 +12,6 @@ selections:
     - var_selinux_state=enforcing
     - var_selinux_policy_name=targeted
     - sshd_idle_timeout_value=5_minutes
 -    - var_logind_session_timeout=5_minutes
     - var_accounts_minimum_age_login_defs=7
     - var_accounts_passwords_pam_faillock_deny=5
     - var_accounts_password_warn_age_login_defs=7
@@ -89,7 +88,6 @@ selections:
     - package_telnet_removed
     - sshd_allow_only_protocol2
     - sshd_set_idle_timeout
 -    - logind_session_timeout
     - var_sshd_set_keepalive=0
     - sshd_set_keepalive_0
     - disable_host_auth
 diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
 index a31f3245d8..267b66a4f8 100644
 --- a/tests/data/profile_stability/rhel8/ospp.profile
 +++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -104,7 +104,6 @@ selections:
 - kernel_module_firewire-core_disabled
 - kernel_module_sctp_disabled
 - kernel_module_tipc_disabled
 -- logind_session_timeout
 - mount_option_boot_nodev
 - mount_option_boot_nosuid
 - mount_option_dev_shm_nodev
@@ -254,7 +253,6 @@ selections:
 - var_password_pam_ucredit=1
 - var_password_pam_lcredit=1
 - sshd_idle_timeout_value=14_minutes
 -- var_logind_session_timeout=14_minutes
 - var_accounts_passwords_pam_faillock_deny=3
 - var_accounts_passwords_pam_faillock_fail_interval=900
 - var_accounts_passwords_pam_faillock_unlock_time=never
 diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
 index 5c77ea6a85..902d0084fc 100644
 --- a/tests/data/profile_stability/rhel8/pci-dss.profile
 +++ b/tests/data/profile_stability/rhel8/pci-dss.profile
@@ -109,7 +109,6 @@ selections:
 - gid_passwd_group_same
 - grub2_audit_argument
 - install_hids
 -- logind_session_timeout
 - no_empty_passwords
 - package_aide_installed
 - package_audispd-plugins_installed
@@ -137,7 +136,6 @@ selections:
 - var_accounts_passwords_pam_faillock_deny=6
 - var_accounts_passwords_pam_faillock_unlock_time=1800
 - sshd_idle_timeout_value=15_minutes
 -- var_logind_session_timeout=15_minutes
 - var_password_pam_minlen=7
 - var_password_pam_minclass=2
 - var_accounts_maximum_age_login_defs=90
 -- 
 2.39.1
--- a/scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
+++ b/scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
--- a/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
+++ b/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -11,6 +11,16 @@ Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
 Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
 # Rsyslog files rules remediations
 Patch1:	 scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
 # Extends rsyslog_logfiles_attributes_modify template for permissions
 Patch2:	 scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
 # Change custom zones check in firewalld_sshd_port_enabled
 Patch3:	 scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
 # Accept required and requisite control flag for pam_pwhistory
 Patch4:	 scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
 # remove rule logind_session_timeout and associated variable from profiles
 Patch5:	 scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
 BuildArch:	noarch
 BuildRequires:	libxslt
@ -101,6 +111,10 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 * Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
 - Rebase to a new upstream release 0.1.66 (RHBZ#2169443)
 - Fix remediation of audit watch rules (RHBZ#2169441)
 - Fix check firewalld_sshd_port_enabled (RHBZ#2169443)
 - Fix accepted control flags for pam_pwhistory (RHBZ#2169443)
 - Unselect rule logind_session_timeout (RHBZ#2169443)
 - Add support rainer scripts in rsyslog rules (RHBZ#2169445)
 * Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
 - OSPP: fix rule related to coredump (RHBZ#2081688)