import scap-security-guide-0.1.60-5.el9

2022-04-05 06:42:48 -04:00 · 2022-04-05 06:42:48 -04:00 · 6288eb5b4f
commit 6288eb5b4f
parent 30c595cb4f
4 changed files with 293 additions and 1 deletions
--- a/SOURCES/scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch
+++ b/SOURCES/scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch
@ -0,0 +1,22 @@
+From 50eb163d9e9751c2e8cf8129523a8cf7e07a5930 Mon Sep 17 00:00:00 2001
+From: Matthew Burket <mburket@redhat.com>
+Date: Thu, 17 Feb 2022 12:49:32 -0600
+Subject: [PATCH] get_implemented_stigs in utils/create_scap_delta_tailoring.py
+ should return the implemented stig items
+
+---
+ utils/create_scap_delta_tailoring.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py
+index 2c3c5d0df32..25ad1aef66e 100755
+--- a/utils/create_scap_delta_tailoring.py
+++ b/utils/create_scap_delta_tailoring.py
+@@ -127,6 +127,7 @@ def get_implemented_stigs(product, root_path, build_config_yaml_path,
+                 known_rules[ref].append(rule['id'])
+             else:
+                 known_rules[ref] = [rule['id']]
+    return known_rules
+ 
+ 
+ get_implemented_stigs.__annotations__ = {'product': str, 'root_path': str,
--- a/SOURCES/scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch
+++ b/SOURCES/scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch
@ -0,0 +1,116 @@
+From bc2f72ff8a23b508cef88a363e75e73474625775 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 22 Feb 2022 17:15:43 +0100
+Subject: [PATCH 1/3] remove extend definition from ovals
+
+---
+ .../software/integrity/fips/enable_fips_mode/oval/rhcos4.xml     | 1 -
+ .../software/integrity/fips/enable_fips_mode/oval/shared.xml     | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
+index c5ae0550e6b..52d86fd4478 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
+@@ -5,7 +5,6 @@
+       <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
+       <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="proc_sys_crypto_fips_enabled" />
+       <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
+-      <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
+       <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
+     </criteria>
+   </definition>
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+index 699dca06dd1..6c3f57e143f 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+@@ -6,7 +6,6 @@
+       <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
+       <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
+       <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
+-      <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
+       <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
+     </criteria>
+   </definition>
+
+From dbbea1998e189c4a27edc700478f55e2dfda56f8 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 22 Feb 2022 17:17:28 +0100
+Subject: [PATCH 2/3] chang warning and description
+
+---
+ .../integrity/fips/enable_fips_mode/rule.yml  | 25 ++++---------------
+ 1 file changed, 5 insertions(+), 20 deletions(-)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+index 9d89114b07f..6b055eac8ff 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+@@ -13,11 +13,9 @@ description: |-
+     <ul>
+     <li>Setting the kernel FIPS mode flag (<tt>/proc/sys/crypto/fips_enabled</tt>) to <tt>1</tt></li>
+     <li>Creating <tt>/etc/system-fips</tt></li>
+-    <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>FIPS</tt></li>
+    <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt></li>
+     <li>Loading the Dracut <tt>fips</tt> module</li>
+     </ul>
+-    This rule also ensures that the system policy is set to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>.
+-    Furthermore, the system running in FIPS mode should be FIPS certified by NIST.
+ 
+ rationale: |-
+     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
+@@ -48,7 +46,7 @@ references:
+ ocil_clause: 'FIPS mode is not enabled'
+ 
+ ocil: |-
+-    To verify that FIPS is enabled properly, run the following command:
+    To verify that FIPS mode is enabled properly, run the following command:
+     <pre>fips-mode-setup --check</pre>
+     The output should contain the following:
+     <pre>FIPS mode is enabled.</pre>
+@@ -61,19 +59,6 @@ warnings:
+     - general: |-
+         The system needs to be rebooted for these changes to take effect.
+     - regulatory: |-
+-        System Crypto Modules must be provided by a vendor that undergoes
+-        FIPS-140 certifications.
+-        FIPS-140 is applicable to all Federal agencies that use
+-        cryptographic-based security systems to protect sensitive information
+-        in computer and telecommunication systems (including voice systems) as
+-        defined in Section 5131 of the Information Technology Management Reform
+-        Act of 1996, Public Law 104-106. This standard shall be used in
+-        designing and implementing cryptographic modules that Federal
+-        departments and agencies operate or are operated for them under
+-        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+-        To meet this, the system has to have cryptographic software provided by
+-        a vendor that has undergone this certification. This means providing
+-        documentation, test results, design information, and independent third
+-        party review by an accredited lab. While open source software is
+-        capable of meeting this, it does not meet FIPS-140 unless the vendor
+-        submits to this process.
+        This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
+        You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}.
+        This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
+
+From 3c72eec95c617ee295099522d2817c6d217a7e63 Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Wed, 23 Feb 2022 09:16:09 +0100
+Subject: [PATCH 3/3] Update
+ linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+
+Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
+---
+ .../system/software/integrity/fips/enable_fips_mode/rule.yml    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+index 6b055eac8ff..30cbc939bed 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+@@ -60,5 +60,5 @@ warnings:
+         The system needs to be rebooted for these changes to take effect.
+     - regulatory: |-
+         This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
+-        You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}.
+        You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}.
+         This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
--- a/SOURCES/scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch
+++ b/SOURCES/scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch
@ -0,0 +1,146 @@
+From 0ffb73fe67cb5773037f62895e6fdc93195f7c38 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 21 Feb 2022 12:55:10 +0100
+Subject: [PATCH] Remove tmux process runinng check from
+ configure_bashrc_exec_tmux.
+
+This check can cause troubles since the user must be logged to show up
+as tmux running. For example, an evaluation happening through a cron job
+wouldn't be able to make this rule work, since no terminal is being
+used.
+---
+ .../configure_bashrc_exec_tmux/oval/shared.xml     | 10 ----------
+ .../configure_bashrc_exec_tmux/rule.yml            | 14 +-------------
+ .../tests/correct_value.pass.sh                    |  1 -
+ .../tests/correct_value_d_directory.pass.sh        |  1 -
+ .../tests/duplicate_value_multiple_files.pass.sh   |  1 -
+ .../tests/tmux_not_running.fail.sh                 | 13 -------------
+ .../tests/wrong_value.fail.sh                      |  2 --
+ 7 files changed, 1 insertion(+), 41 deletions(-)
+ delete mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
+
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
+index 4cb2f9e0e04..58f91eadf66 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
+@@ -4,7 +4,6 @@
+     <criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
+       <criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
+         test_ref="test_configure_bashrc_exec_tmux" />
+-      <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
+     </criteria>
+   </definition>
+   <ind:textfilecontent54_test check="all" check_existence="all_exist"
+@@ -18,13 +17,4 @@
+     <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+   </ind:textfilecontent54_object>
+-
+-  <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
+-      <unix:object object_ref="obj_tmux_running"/>
+-  </unix:process58_test>
+-
+-  <unix:process58_object id="obj_tmux_running" version="1">
+-      <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
+-      <unix:pid datatype="int" operation="greater than">0</unix:pid>
+-  </unix:process58_object>
+ </def-group>
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+index 7afc5fc5e6b..9f224748894 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+@@ -8,19 +8,11 @@ description: |-
+     The <tt>tmux</tt> terminal multiplexer is used to implement
+     automatic session locking. It should be started from
+     <tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
+-    Additionally it must be ensured that the <tt>tmux</tt> process is running
+-    and it can be verified with the following command:
+-    <pre>ps all | grep tmux | grep -v grep</pre>
+ 
+ rationale: |-
+     Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
+     provides a mechanism to lock sessions after period of inactivity.
+ 
+-warnings:
+-  - general: |-
+-        The remediation does not start the tmux process, so it must be
+-        manually started or have the system rebooted after applying the fix.
+-
+ severity: medium
+ 
+ identifiers:
+@@ -34,7 +26,7 @@ references:
+     stigid@ol8: OL08-00-020041
+     stigid@rhel8: RHEL-08-020041
+ 
+-ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
+ocil_clause: 'exec tmux is not present at the end of bashrc'
+ 
+ ocil: |-
+     To verify that tmux is configured to execute,
+@@ -46,9 +38,5 @@ ocil: |-
+       name=$(ps -o comm= -p $parent)
+       case "$name" in sshd|login) exec tmux ;; esac
+     fi</pre>
+-    To verify that the tmux process is running,
+-    run the following command:
+-    <pre>ps all | grep tmux | grep -v grep</pre>
+-    If the command does not produce output, this is a finding.
+ 
+ platform: machine
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
+index 221c18665ef..fbc7590f27d 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
+@@ -9,4 +9,3 @@ if [ "$PS1" ]; then
+ fi
+ EOF
+ 
+-tmux new-session -s root -d
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
+index 1702bb17e79..6107f86f248 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
+@@ -10,4 +10,3 @@ if [ "$PS1" ]; then
+ fi
+ EOF
+ 
+-tmux new-session -s root -d
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
+index 16d4acfcb5a..c662221eca1 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
+@@ -17,4 +17,3 @@ if [ "$PS1" ]; then
+ fi
+ EOF
+ 
+-tmux new-session -s root -d
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
+deleted file mode 100644
+index 6cb9d83efc5..00000000000
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
+++ /dev/null
+@@ -1,13 +0,0 @@
+-#!/bin/bash
+-# packages = tmux
+-# remediation = none
+-
+-cat >> /etc/bashrc <<'EOF'
+-if [ "$PS1" ]; then
+-  parent=$(ps -o ppid= -p $$)
+-  name=$(ps -o comm= -p $parent)
+-  case "$name" in sshd|login) exec tmux ;; esac
+-fi
+-EOF
+-
+-killall tmux || true
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
+index f13a8b038e4..9b461654572 100644
+--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
+@@ -101,5 +101,3 @@ if [ -z "$BASHRCSOURCED" ]; then
+ fi
+ # vim:ts=4:sw=4
+ EOF
+-
+-tmux new-session -s root -d
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -6,7 +6,7 @@

 Name:		scap-security-guide
 Version:	0.1.60
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@ -60,6 +60,9 @@ Patch42:	scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.
 Patch43:	scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
 Patch44:	scap-security-guide-0.1.61-update-ospp-description-PR_8232.patch
 Patch45:	scap-security-guide-0.1.61-add-rule-page_alloc_shuffle_argument-PR_8234.patch
+Patch46:	scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch
+Patch47:	scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch
+Patch48:	scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch

 BuildRequires:	libxslt
 BuildRequires:	expat
@ -146,6 +149,11 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif

 %changelog
+* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
+- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847)
+- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561)
+- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457)
+
 * Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
 - Fix Ansible service disabled tasks (RHBZ#2014561)
 - Update description of OSPP profile (RHBZ#2045386)