Auto sync2gitlab import of scap-security-guide-0.1.66-2.el8.src.rpm
This commit is contained in:
parent
c10135e851
commit
6af1d9d83a
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,3 +2,4 @@
|
||||
/scap-security-guide-0.1.60.tar.bz2
|
||||
/scap-security-guide-0.1.62.tar.bz2
|
||||
/scap-security-guide-0.1.63.tar.bz2
|
||||
/scap-security-guide-0.1.66.tar.bz2
|
||||
|
@ -1,8 +1,24 @@
|
||||
From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 6 Feb 2023 14:44:17 +0100
|
||||
Subject: [PATCH] Disable profiles not in good shape
|
||||
|
||||
Patch-name: disable-not-in-good-shape-profiles.patch
|
||||
Patch-id: 0
|
||||
Patch-status: |
|
||||
Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
|
||||
---
|
||||
products/rhel8/CMakeLists.txt | 1 -
|
||||
products/rhel8/profiles/cjis.profile | 2 +-
|
||||
products/rhel8/profiles/rht-ccp.profile | 2 +-
|
||||
products/rhel8/profiles/standard.profile | 2 +-
|
||||
4 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
|
||||
index 5258591c7f..cc4b9c5720 100644
|
||||
index 9c044b68ab..8f6ca03de8 100644
|
||||
--- a/products/rhel8/CMakeLists.txt
|
||||
+++ b/products/rhel8/CMakeLists.txt
|
||||
@@ -11,7 +11,6 @@ ssg_build_product(${PRODUCT})
|
||||
@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT})
|
||||
ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
|
||||
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
|
||||
@ -10,8 +26,8 @@ index 5258591c7f..cc4b9c5720 100644
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
|
||||
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
index 035d2705b..c6475f33e 100644
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index 22ae5aac72..f60b65bc06 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -20,8 +36,8 @@ index 035d2705b..c6475f33e 100644
|
||||
|
||||
metadata:
|
||||
version: 5.4
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
|
||||
index c84579592..164ec98c4 100644
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index b192461f95..ae1e7d5a15 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -30,8 +46,8 @@ index c84579592..164ec98c4 100644
|
||||
|
||||
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||||
|
||||
diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
|
||||
index a63ae2cf3..da669bb84 100644
|
||||
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
|
||||
index a63ae2cf32..da669bb843 100644
|
||||
--- a/products/rhel8/profiles/standard.profile
|
||||
+++ b/products/rhel8/profiles/standard.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -41,5 +57,5 @@ index a63ae2cf3..da669bb84 100644
|
||||
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||||
|
||||
--
|
||||
2.26.2
|
||||
2.39.1
|
||||
|
||||
|
@ -1,227 +0,0 @@
|
||||
From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 16:42:41 +0200
|
||||
Subject: [PATCH 1/3] Add platforms for partition existence
|
||||
|
||||
---
|
||||
shared/applicability/general.yml | 14 +++++++++++++
|
||||
.../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++
|
||||
.../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++
|
||||
shared/macros/10-ansible.jinja | 5 +++++
|
||||
shared/macros/10-bash.jinja | 5 +++++
|
||||
shared/macros/10-oval.jinja | 21 +++++++++++++++++++
|
||||
6 files changed, 65 insertions(+)
|
||||
create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
|
||||
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
||||
index 2d23d753148..e2f5d04ce00 100644
|
||||
--- a/shared/applicability/general.yml
|
||||
+++ b/shared/applicability/general.yml
|
||||
@@ -77,6 +77,20 @@ cpes:
|
||||
bash_conditional: {{{ bash_pkg_conditional("pam") }}}
|
||||
ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}
|
||||
|
||||
+ - partition-var-tmp:
|
||||
+ name: "cpe:/a:partition-var-tmp"
|
||||
+ title: "There is a /var/tmp partition"
|
||||
+ check_id: installed_env_mounts_var_tmp
|
||||
+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}
|
||||
+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}
|
||||
+
|
||||
+ - partition-tmp:
|
||||
+ name: "cpe:/a:partition-tmp"
|
||||
+ title: "There is a /tmp partition"
|
||||
+ check_id: installed_env_mounts_tmp
|
||||
+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}}
|
||||
+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}
|
||||
+
|
||||
- polkit:
|
||||
name: "cpe:/a:polkit"
|
||||
title: "Package polkit is installed"
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
new file mode 100644
|
||||
index 00000000000..c1bcd6b2431
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory" id="installed_env_mounts_tmp" version="1">
|
||||
+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}
|
||||
+ <criteria>
|
||||
+ {{{ partition_exists_criterion("/tmp") }}}
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ {{{ partition_exists_tos("/tmp") }}}
|
||||
+</def-group>
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
new file mode 100644
|
||||
index 00000000000..a72f49c8a8f
|
||||
--- /dev/null
|
||||
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<def-group>
|
||||
+ <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">
|
||||
+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}
|
||||
+ <criteria>
|
||||
+ {{{ partition_exists_criterion("/var/tmp") }}}
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ {{{ partition_exists_tos("/var/tmp") }}}
|
||||
+</def-group>
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index 2d24f730d3f..478f0072bc7 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
when:
|
||||
- result_pam_file_present.stat.exists
|
||||
{{%- endmacro -%}}
|
||||
+
|
||||
+
|
||||
+{{%- macro ansible_partition_conditional(path) -%}}
|
||||
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+{{%- endmacro -%}}
|
||||
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
|
||||
index 94c3c6f9570..6a7fb165fd2 100644
|
||||
--- a/shared/macros/10-bash.jinja
|
||||
+++ b/shared/macros/10-bash.jinja
|
||||
@@ -2085,3 +2085,8 @@ else
|
||||
echo "{{{ pam_file }}} was not found" >&2
|
||||
fi
|
||||
{{%- endmacro -%}}
|
||||
+
|
||||
+
|
||||
+{{%- macro bash_partition_conditional(path) -%}}
|
||||
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
|
||||
+{{%- endmacro -%}}
|
||||
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
|
||||
index c8d7bbeffb7..1ec93b6ef7d 100644
|
||||
--- a/shared/macros/10-oval.jinja
|
||||
+++ b/shared/macros/10-oval.jinja
|
||||
@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
|
||||
{{%- else %}}
|
||||
{{%- set user_list="nobody" %}}
|
||||
{{%- endif %}}
|
||||
+
|
||||
+
|
||||
+{{%- macro partition_exists_criterion(path) %}}
|
||||
+{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+ <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
|
||||
+{{%- endmacro %}}
|
||||
+
|
||||
+{{%- macro partition_exists_tos(path) %}}
|
||||
+{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+ <linux:partition_test check="all" check_existence="all_exist"
|
||||
+ comment="Partition {{{ path }}} exists"
|
||||
+ id="test_partition_{{{ escaped_path }}}_exists"
|
||||
+ version="1">
|
||||
+ <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
|
||||
+ {{#- <linux:partition_state state_ref="" /> #}}
|
||||
+ </linux:partition_test>
|
||||
+
|
||||
+ <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
|
||||
+ <linux:mount_point>{{{ path }}}</linux:mount_point>
|
||||
+ </linux:partition_object>
|
||||
+{{%- endmacro %}}
|
||||
|
||||
From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 16:43:21 +0200
|
||||
Subject: [PATCH 2/3] Use partition exist platforms on a real rule
|
||||
|
||||
---
|
||||
.../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++-
|
||||
.../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++
|
||||
2 files changed, 7 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
index 8ee8c8b12e0..741d0973283 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||
@@ -38,7 +38,8 @@ references:
|
||||
stigid@ol8: OL08-00-040132
|
||||
stigid@rhel8: RHEL-08-040132
|
||||
|
||||
-platform: machine
|
||||
+platforms:
|
||||
+ - machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..241c0103d82
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. $SHARED/partition.sh
|
||||
+
|
||||
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
|
||||
|
||||
From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 11:32:38 +0200
|
||||
Subject: [PATCH 3/3] Improve code style
|
||||
|
||||
- Improve description of OVAL macro
|
||||
- Use the escape_id filter to produce IDs
|
||||
---
|
||||
shared/checks/oval/installed_env_mounts_tmp.xml | 2 +-
|
||||
shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-
|
||||
shared/macros/10-oval.jinja | 7 +++----
|
||||
3 files changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
index c1bcd6b2431..edd8ad050f5 100644
|
||||
--- a/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||
@@ -6,5 +6,5 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- {{{ partition_exists_tos("/tmp") }}}
|
||||
+ {{{ partition_exists_test_object("/tmp") }}}
|
||||
</def-group>
|
||||
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
index a72f49c8a8f..cf9aafbdb04 100644
|
||||
--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||
@@ -6,5 +6,5 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- {{{ partition_exists_tos("/var/tmp") }}}
|
||||
+ {{{ partition_exists_test_object("/var/tmp") }}}
|
||||
</def-group>
|
||||
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
|
||||
index 1ec93b6ef7d..f302091f7df 100644
|
||||
--- a/shared/macros/10-oval.jinja
|
||||
+++ b/shared/macros/10-oval.jinja
|
||||
@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
|
||||
|
||||
|
||||
{{%- macro partition_exists_criterion(path) %}}
|
||||
-{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+{{%- set escaped_path = path | escape_id %}}
|
||||
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
|
||||
{{%- endmacro %}}
|
||||
|
||||
-{{%- macro partition_exists_tos(path) %}}
|
||||
-{{%- set escaped_path = path | replace("/", "_") %}}
|
||||
+{{%- macro partition_exists_test_object(path) %}}
|
||||
+{{%- set escaped_path = path | escape_id %}}
|
||||
<linux:partition_test check="all" check_existence="all_exist"
|
||||
comment="Partition {{{ path }}} exists"
|
||||
id="test_partition_{{{ escaped_path }}}_exists"
|
||||
version="1">
|
||||
<linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
|
||||
- {{#- <linux:partition_state state_ref="" /> #}}
|
||||
</linux:partition_test>
|
||||
|
||||
<linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
|
@ -1,29 +0,0 @@
|
||||
From 172258291cea7100e89002203f3d9ae1bc468cd3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 21 Sep 2022 17:22:29 +0200
|
||||
Subject: [PATCH] add warning to sysctl_net_ipv4_conf_all_forwarding
|
||||
|
||||
---
|
||||
.../sysctl_net_ipv4_conf_all_forwarding/rule.yml | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
index 7b0066f7c29..20a778cdf9e 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
@@ -36,6 +36,15 @@ srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless th
|
||||
|
||||
platform: machine
|
||||
|
||||
+
|
||||
+warnings:
|
||||
+ - general: |-
|
||||
+ There might be cases when certain applications can systematically override this option.
|
||||
+ One such case is {{{ weblink("https://libvirt.org/", "Libvirt") }}}; a toolkit for managing of virtualization platforms.
|
||||
+ By default, Libvirt requires IP forwarding to be enabled to facilitate
|
||||
+ network communication between the virtualization host and guest
|
||||
+ machines. It enables IP forwarding after every reboot.
|
||||
+
|
||||
template:
|
||||
name: sysctl
|
||||
vars:
|
@ -1,92 +0,0 @@
|
||||
From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 13:35:50 +0200
|
||||
Subject: [PATCH] Add the platform applicability to relevant rules
|
||||
|
||||
---
|
||||
.../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +-
|
||||
.../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
index 45a73e0286a..79a19a8d30b 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||
@@ -45,7 +45,7 @@ references:
|
||||
stigid@ol8: OL08-00-040123
|
||||
stigid@rhel8: RHEL-08-040123
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
index 7356183bab3..d3f6d6175e5 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||
@@ -44,7 +44,7 @@ references:
|
||||
stigid@ol8: OL08-00-040125
|
||||
stigid@rhel8: RHEL-08-040125
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
index d153b86934f..10790dc95a7 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||
@@ -45,7 +45,7 @@ references:
|
||||
stigid@ol8: OL08-00-040124
|
||||
stigid@rhel8: RHEL-08-040124
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
index 133e7727ca7..05992df4b49 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||
@@ -31,7 +31,7 @@ references:
|
||||
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||||
nist-csf: PR.IP-1,PR.PT-3
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
index 39fd458ec6b..dc00b2f2376 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||
@@ -38,7 +38,7 @@ references:
|
||||
stigid@ol8: OL08-00-040134
|
||||
stigid@rhel8: RHEL-08-040134
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
||||
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
index 349f3348955..f0c26b6d9c5 100644
|
||||
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||
@@ -38,7 +38,7 @@ references:
|
||||
stigid@ol8: OL08-00-040133
|
||||
stigid@rhel8: RHEL-08-040133
|
||||
|
||||
-platform: machine
|
||||
+platform: machine and partition-var-tmp
|
||||
|
||||
template:
|
||||
name: mount_option
|
@ -1,48 +0,0 @@
|
||||
From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 13:14:58 +0200
|
||||
Subject: [PATCH 1/2] Access the mounts via ansible_mounts
|
||||
|
||||
It seems that the data about ansible_mounts should be accessed without
|
||||
the 'ansible_facts' prefix.
|
||||
---
|
||||
shared/macros/10-ansible.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index 478f0072bc7..e8bff0973f5 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
|
||||
|
||||
{{%- macro ansible_partition_conditional(path) -%}}
|
||||
-"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
{{%- endmacro -%}}
|
||||
|
||||
From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 13:16:24 +0200
|
||||
Subject: [PATCH 2/2] Avoid use of json_query and additional dependency
|
||||
|
||||
The json_query filter requires package jmespath to be installed.
|
||||
|
||||
This also avoids mismatchs in python version between ansible and
|
||||
python3-jmespath. Some distros (RHEL8) don't have jmespath module
|
||||
available for the same python version ansible is using.
|
||||
---
|
||||
shared/macros/10-ansible.jinja | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||
index e8bff0973f5..beb2bc11403 100644
|
||||
--- a/shared/macros/10-ansible.jinja
|
||||
+++ b/shared/macros/10-ansible.jinja
|
||||
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
|
||||
|
||||
|
||||
{{%- macro ansible_partition_conditional(path) -%}}
|
||||
-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||
+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
|
||||
{{%- endmacro -%}}
|
@ -1,33 +0,0 @@
|
||||
From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 16 Aug 2022 18:53:02 +0200
|
||||
Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
|
||||
|
||||
There is no need to check /etc/grubenv for fips=1 on s390x systems, it
|
||||
uses zIPL.
|
||||
---
|
||||
.../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 65056a654c6..7af675de0d3 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -7,9 +7,16 @@
|
||||
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
||||
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||
- {{% if product in ["ol8","rhel8"] %}}
|
||||
+ {{% if product in ["ol8"] %}}
|
||||
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
test_ref="test_grubenv_fips_mode" />
|
||||
+ {{% elif product in ["rhel8"] %}}
|
||||
+ <criteria operator="OR">
|
||||
+ <extend_definition comment="Generic test for s390x architecture"
|
||||
+ definition_ref="system_info_architecture_s390_64" />
|
||||
+ <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
+ test_ref="test_grubenv_fips_mode" />
|
||||
+ </criteria>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</definition>
|
@ -1,107 +0,0 @@
|
||||
From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 12:45:24 +0200
|
||||
Subject: [PATCH] Fix rule sudo_custom_logfile
|
||||
|
||||
- Allow only white space after the Default keyword to avoid
|
||||
matching words that only start with Default.
|
||||
- If the variable value contains slashes they need to be escaped
|
||||
because the sed command uses slashes as a separator, otherwise
|
||||
the sed doesn't replace the wrong line during a remediation.
|
||||
|
||||
Also adds 2 test scenarios.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
|
||||
---
|
||||
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
|
||||
.../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++
|
||||
.../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++
|
||||
shared/templates/sudo_defaults_option/ansible.template | 2 +-
|
||||
shared/templates/sudo_defaults_option/bash.template | 5 +++--
|
||||
shared/templates/sudo_defaults_option/oval.template | 2 +-
|
||||
6 files changed, 14 insertions(+), 5 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index 739f5f14936..94fbaaa33ed 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
|
||||
|
||||
ocil: |-
|
||||
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
|
||||
- <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||
The command should return a matching output.
|
||||
|
||||
template:
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..13ff4559edb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ec24854f0f9
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_all
|
||||
+
|
||||
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
|
||||
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
|
||||
index 094fa430b64..c9e344ec772 100644
|
||||
--- a/shared/templates/sudo_defaults_option/ansible.template
|
||||
+++ b/shared/templates/sudo_defaults_option/ansible.template
|
||||
@@ -8,7 +8,7 @@
|
||||
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
|
||||
+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
|
||||
line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
|
||||
validate: /usr/sbin/visudo -cf %s
|
||||
backrefs: yes
|
||||
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
|
||||
index e3563d42db6..e7d962a668d 100644
|
||||
--- a/shared/templates/sudo_defaults_option/bash.template
|
||||
+++ b/shared/templates/sudo_defaults_option/bash.template
|
||||
@@ -9,7 +9,7 @@
|
||||
{{% endif %}}
|
||||
if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
cp /etc/sudoers /etc/sudoers.bak
|
||||
- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
|
||||
+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
|
||||
# sudoers file doesn't define Option {{{ OPTION }}}
|
||||
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
|
||||
{{%- if not VARIABLE_NAME %}}
|
||||
@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||
{{% if '/' in OPTION %}}
|
||||
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
|
||||
{{% endif %}}
|
||||
- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
|
||||
+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
|
||||
+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
|
||||
fi
|
||||
fi
|
||||
{{% endif %}}
|
||||
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
|
||||
index c0d81c95093..a9636a7204a 100644
|
||||
--- a/shared/templates/sudo_defaults_option/oval.template
|
||||
+++ b/shared/templates/sudo_defaults_option/oval.template
|
||||
@@ -13,7 +13,7 @@
|
||||
</ind:textfilecontent54_test>
|
||||
<ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
@ -1,967 +0,0 @@
|
||||
From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Wed, 13 Apr 2022 20:06:18 +0800
|
||||
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
|
||||
|
||||
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
|
||||
A simple test case as follows:
|
||||
|
||||
/etc/rsyslog.conf
|
||||
include(file="/etc/rsyslog.d/*.conf" mode="optional")
|
||||
|
||||
/etc/rsyslog.d/custom1.conf
|
||||
local1.* /tmp/local1.out
|
||||
|
||||
/etc/rsyslog.d/custom2.conf
|
||||
local2.* /tmp/local2.out
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index b794ea8db31..02b0c36d899 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -5,8 +5,8 @@
|
||||
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
||||
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
||||
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Thu, 14 Apr 2022 15:58:04 +0800
|
||||
Subject: [PATCH 02/15] A better fix.
|
||||
|
||||
* Should also fixed the CI failure.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 02b0c36d899..1aebb8f9da5 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -5,8 +5,10 @@
|
||||
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
||||
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
||||
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
||||
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
||||
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 15 Apr 2022 10:47:37 +0800
|
||||
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
|
||||
|
||||
---
|
||||
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
|
||||
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
|
||||
2 files changed, 113 insertions(+)
|
||||
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
new file mode 100755
|
||||
index 00000000000..7cb09128d78
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -0,0 +1,56 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
+
|
||||
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
+# log file permissions 0600 from $IncludeConfig passes.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS=0600
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+mkdir ${conf_subdir}
|
||||
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+cat << EOF > ${test_subdir_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+
|
||||
+EOF
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
new file mode 100755
|
||||
index 00000000000..942eaf086a1
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -0,0 +1,57 @@
|
||||
+#!/bin/bash
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+
|
||||
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
+# log file permissions 0601 from $IncludeConfig fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+mkdir ${conf_subdir}
|
||||
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+cat << EOF > ${test_subdir_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+
|
||||
+EOF
|
||||
|
||||
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Thu, 19 May 2022 01:22:19 +0800
|
||||
Subject: [PATCH 04/15] The way using 'find' can be retired.
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
|
||||
1 file changed, 5 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 1aebb8f9da5..cece5930ee8 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
-RSYSLOG_CONFIGS=()
|
||||
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
+declare -a RSYSLOG_CONFIGS
|
||||
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
-# Get full list of files to be checked
|
||||
-# RSYSLOG_CONFIGS may contain globs such as
|
||||
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
||||
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
||||
-RSYSLOG_FILES=()
|
||||
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
-do
|
||||
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
|
||||
- RSYSLOG_FILES+=("${FINDOUT[@]}")
|
||||
-done
|
||||
-
|
||||
-# Check file and fix if needed.
|
||||
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
|
||||
+# Browse each file selected above as containing paths of log files
|
||||
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
# From each of these files extract just particular log file path(s), thus:
|
||||
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||
|
||||
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 01:30:37 +0800
|
||||
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index cece5930ee8..50d36d7426f 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
# Declare an array to hold the final list of different log file paths
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
+# Array to hold all rsyslog config entries
|
||||
declare -a RSYSLOG_CONFIGS
|
||||
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
+# Array to hold all rsyslog config files
|
||||
+declare -a RSYSLOG_CONFIG_FILES
|
||||
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
+do
|
||||
+ # If directory, need to include files recursively
|
||||
+ if [ -d "${ENTRY}" ]
|
||||
+ then
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
||||
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
+ elif [ -f "${ENTRY}" ]
|
||||
+ then
|
||||
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
|
||||
+ else
|
||||
+ echo "Invalid include object: ${ENTRY}"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
# Browse each file selected above as containing paths of log files
|
||||
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
||||
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
|
||||
do
|
||||
# From each of these files extract just particular log file path(s), thus:
|
||||
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||
|
||||
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 01:46:33 +0800
|
||||
Subject: [PATCH 06/15] Update test files.
|
||||
|
||||
---
|
||||
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
|
||||
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 7cb09128d78..2ddd9fcb697 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
|
||||
|
||||
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
||||
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
||||
|
||||
EOF
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 942eaf086a1..73ff3332c6d 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
|
||||
|
||||
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
||||
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
||||
|
||||
EOF
|
||||
|
||||
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Fri, 20 May 2022 10:03:32 +0800
|
||||
Subject: [PATCH 07/15] Rsyslog says we should include all files
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
|
||||
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
|
||||
3 files changed, 31 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 50d36d7426f..cd5014105e9 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -24,7 +24,7 @@ do
|
||||
# If directory, need to include files recursively
|
||||
if [ -d "${ENTRY}" ]
|
||||
then
|
||||
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
||||
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
elif [ -f "${ENTRY}" ]
|
||||
then
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 2ddd9fcb697..755865ca522 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
|
||||
PERMS=0600
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 3
|
||||
+create_rsyslog_test_logs 4
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
||||
|
||||
# create test configuration file
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
mkdir ${conf_subdir}
|
||||
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+
|
||||
cat << EOF > ${test_subdir_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
@@ -31,12 +35,22 @@ EOF
|
||||
|
||||
cat << EOF > ${test_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_bak}
|
||||
+# rsyslog configuration file
|
||||
+# test_bak
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 73ff3332c6d..063b1a0cbe5 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -10,20 +10,24 @@ PERMS_PASS=0600
|
||||
PERMS_FAIL=0601
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 3
|
||||
+create_rsyslog_test_logs 4
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
||||
|
||||
# create test configuration file
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
mkdir ${conf_subdir}
|
||||
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+
|
||||
cat << EOF > ${test_subdir_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
@@ -32,12 +36,22 @@ EOF
|
||||
|
||||
cat << EOF > ${test_conf}
|
||||
# rsyslog configuration file
|
||||
+# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_bak}
|
||||
+# rsyslog configuration file
|
||||
+# test_bak
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
|
||||
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Sat, 21 May 2022 16:02:26 +0800
|
||||
Subject: [PATCH 08/15] Match glob() function of rsyslog
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
|
||||
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
|
||||
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
|
||||
3 files changed, 55 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index cd5014105e9..38105bf086b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
|
||||
declare -a RSYSLOG_CONFIG_FILES
|
||||
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
- # If directory, need to include files recursively
|
||||
+ # If directory, rsyslog will search for config files in recursively.
|
||||
+ # However, files in hidden sub-directories or hidden files will be ignored.
|
||||
if [ -d "${ENTRY}" ]
|
||||
then
|
||||
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
||||
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
|
||||
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||
elif [ -f "${ENTRY}" ]
|
||||
then
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
index 755865ca522..a5a2f67fadc 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
|
||||
PERMS=0600
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 4
|
||||
+create_rsyslog_test_logs 5
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
||||
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
|
||||
|
||||
-# create test configuration file
|
||||
+# create test configuration files
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
||||
mkdir ${conf_subdir}
|
||||
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+mkdir ${conf_hiddir}
|
||||
|
||||
-cat << EOF > ${test_subdir_conf}
|
||||
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
||||
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
||||
+
|
||||
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
||||
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
||||
+
|
||||
+cat << EOF > ${test_conf_in_subdir}
|
||||
# rsyslog configuration file
|
||||
-# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_conf}
|
||||
+cat << EOF > ${test_conf_name_bak}
|
||||
# rsyslog configuration file
|
||||
-# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_bak}
|
||||
+cat << EOF > ${test_conf_in_hiddir}
|
||||
# rsyslog configuration file
|
||||
-# test_bak
|
||||
+# not used
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_conf_dot_name}
|
||||
+# rsyslog configuration file
|
||||
+# not used
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index 063b1a0cbe5..a9d0adfb727 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -10,48 +10,61 @@ PERMS_PASS=0600
|
||||
PERMS_FAIL=0601
|
||||
|
||||
# setup test data
|
||||
-create_rsyslog_test_logs 4
|
||||
+create_rsyslog_test_logs 5
|
||||
|
||||
# setup test log files and permissions
|
||||
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
|
||||
|
||||
-# create test configuration file
|
||||
+# create test configuration files
|
||||
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
||||
mkdir ${conf_subdir}
|
||||
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||
+mkdir ${conf_hiddir}
|
||||
|
||||
-cat << EOF > ${test_subdir_conf}
|
||||
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
||||
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
||||
+
|
||||
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
||||
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
||||
+
|
||||
+cat << EOF > ${test_conf_in_subdir}
|
||||
# rsyslog configuration file
|
||||
-# test_subdir_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_conf}
|
||||
+cat << EOF > ${test_conf_name_bak}
|
||||
# rsyslog configuration file
|
||||
-# test_conf
|
||||
|
||||
#### RULES ####
|
||||
|
||||
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
EOF
|
||||
|
||||
-cat << EOF > ${test_bak}
|
||||
+cat << EOF > ${test_conf_in_hiddir}
|
||||
# rsyslog configuration file
|
||||
-# test_bak
|
||||
+# not used
|
||||
|
||||
#### RULES ####
|
||||
|
||||
*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||
EOF
|
||||
|
||||
+cat << EOF > ${test_conf_dot_name}
|
||||
+# rsyslog configuration file
|
||||
+# not used
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
||||
+EOF
|
||||
+
|
||||
# create rsyslog.conf configuration file
|
||||
cat << EOF > $RSYSLOG_CONF
|
||||
# rsyslog configuration file
|
||||
|
||||
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Sun, 22 May 2022 21:10:16 +0800
|
||||
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
|
||||
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index 38105bf086b..e1129e34c81 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -54,7 +54,7 @@ do
|
||||
then
|
||||
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
|
||||
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
|
||||
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
|
||||
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
|
||||
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
|
||||
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
|
||||
# Since above sed command might return more than one item (delimited by newline), split the particular
|
||||
|
||||
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
|
||||
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||
Date: Tue, 24 May 2022 00:42:17 +0800
|
||||
Subject: [PATCH 10/15] Added platform.
|
||||
|
||||
---
|
||||
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
index a9d0adfb727..fe4db0a3c91 100755
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||
@@ -1,5 +1,5 @@
|
||||
#!/bin/bash
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||
|
||||
# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||
# log file permissions 0601 from $IncludeConfig fails.
|
||||
|
||||
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 13:56:39 +0200
|
||||
Subject: [PATCH 11/15] Reset the arrays before using them
|
||||
|
||||
When bash remediations for a profile are generated, it can happen that a
|
||||
variable with same name is used for multiple remediations.
|
||||
So let's reset the array before using it.
|
||||
---
|
||||
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
index e1129e34c81..d1856ffbe7b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||
declare -a LOG_FILE_PATHS
|
||||
|
||||
# Array to hold all rsyslog config entries
|
||||
-declare -a RSYSLOG_CONFIGS
|
||||
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
+RSYSLOG_CONFIGS=()
|
||||
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||
|
||||
-# Array to hold all rsyslog config files
|
||||
-declare -a RSYSLOG_CONFIG_FILES
|
||||
+# Get full list of files to be checked
|
||||
+# RSYSLOG_CONFIGS may contain globs such as
|
||||
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
||||
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
||||
+RSYSLOG_CONFIG_FILES=()
|
||||
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||
do
|
||||
# If directory, rsyslog will search for config files in recursively.
|
||||
|
||||
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 14:55:37 +0200
|
||||
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
|
||||
|
||||
Let's follow rsyslog behavior and not capture process hidden config
|
||||
files for includes.
|
||||
---
|
||||
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
|
||||
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
|
||||
2 files changed, 62 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
index a04e6fd8900..d13177216c3 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||
@@ -17,8 +17,17 @@
|
||||
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
|
||||
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
|
||||
+ include() or $IncludeConfig that point to hidden dirs or files.
|
||||
+ Rsyslog ignores these conf files, so we should ignore them too.
|
||||
+ -->
|
||||
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
|
||||
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
|
||||
<unique>
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..9b0185c6b2f
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||
@@ -0,0 +1,53 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
||||
+
|
||||
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
||||
+# log file permissions 0601 from include() fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# create hidden test2 configuration file
|
||||
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
|
||||
+cat << EOF > ${test_conf2}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||
+EOF
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${test_conf}")
|
||||
+
|
||||
+\$IncludeConfig ${test_conf2}
|
||||
+EOF
|
||||
|
||||
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 15:49:11 +0200
|
||||
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
|
||||
|
||||
The rsyslog conf file may include other config files.
|
||||
If the included missing files are missing rsyslog will generate an
|
||||
error, but will still continue working.
|
||||
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
|
||||
|
||||
There is not a good way of ensuring that all files defined in a list of paths exist.
|
||||
---
|
||||
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
|
||||
1 file changed, 45 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b929f2a94ab
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||
@@ -0,0 +1,45 @@
|
||||
+#!/bin/bash
|
||||
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
||||
+
|
||||
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
||||
+# log file permissions 0601 from include() fails.
|
||||
+
|
||||
+source $SHARED/rsyslog_log_utils.sh
|
||||
+
|
||||
+PERMS_PASS=0600
|
||||
+PERMS_FAIL=0601
|
||||
+
|
||||
+# setup test data
|
||||
+create_rsyslog_test_logs 3
|
||||
+
|
||||
+# setup test log files and permissions
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
||||
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||
+
|
||||
+# create test configuration file
|
||||
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
||||
+cat << EOF > ${test_conf}
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||
+EOF
|
||||
+
|
||||
+# Skip creation test2 configuration file
|
||||
+
|
||||
+# create rsyslog.conf configuration file
|
||||
+cat << EOF > $RSYSLOG_CONF
|
||||
+# rsyslog configuration file
|
||||
+
|
||||
+#### RULES ####
|
||||
+
|
||||
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||
+
|
||||
+#### MODULES ####
|
||||
+
|
||||
+include(file="${test_conf}")
|
||||
+
|
||||
+\$IncludeConfig ${test_conf2}
|
||||
+EOF
|
||||
|
||||
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 21:47:18 +0200
|
||||
Subject: [PATCH 14/15] Align Ansible remediation with Bash
|
||||
|
||||
The remediation now expands the glob expressions and doesn't collect
|
||||
hidden files or directories to check for their permissions.
|
||||
---
|
||||
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
index 635b72f7352..c558bf46c71 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
@@ -19,19 +19,26 @@
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
|
||||
- register: include_config_output
|
||||
+ register: rsyslog_old_inc
|
||||
changed_when: False
|
||||
|
||||
- name: "Get include files directives"
|
||||
shell: |
|
||||
set -o pipefail
|
||||
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
|
||||
- register: include_files_output
|
||||
+ register: rsyslog_new_inc
|
||||
changed_when: False
|
||||
|
||||
+- name: "Expand glob expressions"
|
||||
+ shell: |
|
||||
+ set -o pipefail
|
||||
+ eval printf '%s\\n' {{ item }}
|
||||
+ register: include_config_output
|
||||
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
|
||||
+
|
||||
- name: "List all config files"
|
||||
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
|
||||
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
|
||||
+ shell: find {{ item }} -not -path "*/.*" -type f
|
||||
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
||||
register: rsyslog_config_files
|
||||
changed_when: False
|
||||
|
||||
|
||||
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 21:56:05 +0200
|
||||
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
|
||||
|
||||
Let's not fail the task when the find doesn't find the include object.
|
||||
When the include is a glob expression that doesn't evaluate to any file
|
||||
the glob itself is used in find command.
|
||||
|
||||
The Bash remediation prints a message for each include that is not a
|
||||
file is not a directory or doesn't exist.
|
||||
---
|
||||
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
index c558bf46c71..3a9380cf13b 100644
|
||||
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||
@@ -40,6 +40,7 @@
|
||||
shell: find {{ item }} -not -path "*/.*" -type f
|
||||
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
||||
register: rsyslog_config_files
|
||||
+ failed_when: False
|
||||
changed_when: False
|
||||
|
||||
- name: "Extract log files"
|
@ -1,90 +0,0 @@
|
||||
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:15 +0200
|
||||
Subject: [PATCH 1/4] fix ospp references
|
||||
|
||||
---
|
||||
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
index c151d3c4aa1..f9b46c51ddd 100644
|
||||
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
@@ -34,6 +34,7 @@ references:
|
||||
disa: CCI-000213
|
||||
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
|
||||
nist: AC-3
|
||||
+ ospp: FIA_UAU.1,FIA_AFL.1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil: |-
|
||||
|
||||
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:42 +0200
|
||||
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index b47630c62b0..dcc41970043 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -115,7 +115,7 @@ selections:
|
||||
- coredump_disable_storage
|
||||
- coredump_disable_backtraces
|
||||
- service_systemd-coredump_disabled
|
||||
- - var_authselect_profile=sssd
|
||||
+ - var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
- use_pam_wheel_for_su
|
||||
|
||||
|
||||
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:54 +0200
|
||||
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
|
||||
|
||||
---
|
||||
products/rhel8/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index 39ad1797c7a..ebec8a3a6f9 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -220,7 +220,7 @@ selections:
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- securetty_root_login_console_only
|
||||
- - var_authselect_profile=sssd
|
||||
+ - var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
- var_password_pam_unix_remember=5
|
||||
- accounts_password_pam_unix_remember
|
||||
|
||||
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 13:55:05 +0200
|
||||
Subject: [PATCH 4/4] update profile stability test
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 5d73a8c6fef..21e93e310d5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -242,7 +242,7 @@ selections:
|
||||
- var_slub_debug_options=P
|
||||
- var_auditd_flush=incremental_async
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
-- var_authselect_profile=sssd
|
||||
+- var_authselect_profile=minimal
|
||||
- var_password_pam_unix_remember=5
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
@ -1,50 +0,0 @@
|
||||
From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 10 Aug 2022 09:59:57 +0200
|
||||
Subject: [PATCH] switch rule grub2_disable_interactive_boot for
|
||||
grub2_disable_recovery in rhel8 ospp
|
||||
|
||||
---
|
||||
.../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
|
||||
products/rhel8/profiles/ospp.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||
4 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
index 4f8d4ddcfde..fb126cbe7d8 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||
@@ -17,6 +17,7 @@ rationale: |-
|
||||
severity: medium
|
||||
|
||||
identifiers:
|
||||
+ cce@rhel8: CCE-86006-4
|
||||
cce@rhel9: CCE-85986-8
|
||||
|
||||
references:
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index ebec8a3a6f9..6e3b30f64bb 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -304,7 +304,7 @@ selections:
|
||||
## Disable Unauthenticated Login (such as Guest Accounts)
|
||||
## FIA_UAU.1
|
||||
- require_singleuser_auth
|
||||
- - grub2_disable_interactive_boot
|
||||
+ - grub2_disable_recovery
|
||||
- grub2_uefi_password
|
||||
- no_empty_passwords
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 21e93e310d5..267b66a4f89 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -89,7 +89,7 @@ selections:
|
||||
- ensure_redhat_gpgkey_installed
|
||||
- grub2_audit_argument
|
||||
- grub2_audit_backlog_limit_argument
|
||||
-- grub2_disable_interactive_boot
|
||||
+- grub2_disable_recovery
|
||||
- grub2_kernel_trust_cpu_rng
|
||||
- grub2_page_poison_argument
|
||||
- grub2_pti_argument
|
@ -1,26 +0,0 @@
|
||||
From bd2128cdc6a657306b8c9644481346f0ab4411f6 Mon Sep 17 00:00:00 2001
|
||||
From: Edgar Aguilar <edgar.aguilar@oracle.com>
|
||||
Date: Mon, 5 Sep 2022 11:07:33 -0500
|
||||
Subject: [PATCH] Update OVAL in openssh rule
|
||||
|
||||
Update OVAL in harden_sshd_ciphers_opensshserver_conf_crypto_policy to
|
||||
align it with generated conf by remediation
|
||||
|
||||
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
|
||||
---
|
||||
.../oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||||
index 53919eaae7f..21d4e716dbc 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||||
@@ -16,7 +16,7 @@
|
||||
|
||||
<ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
||||
<ind:filepath>{{{ PATH }}}</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=\S+).*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=[^\s']+).*$</ind:pattern>
|
||||
<ind:instance operation="equals" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
@ -1,97 +0,0 @@
|
||||
From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 15:01:42 +0200
|
||||
Subject: [PATCH] Add rsyslogd to the list of tools check by aide
|
||||
|
||||
RHEL products will also check for integrity of /usr/sbin/rsyslogd.
|
||||
---
|
||||
.../aide/aide_check_audit_tools/ansible/shared.yml | 1 +
|
||||
.../aide/aide_check_audit_tools/bash/shared.sh | 3 +--
|
||||
.../aide/aide_check_audit_tools/oval/shared.xml | 2 +-
|
||||
.../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +-
|
||||
.../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +-
|
||||
.../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
index 9d1b7b675c9..5905ea8d0e6 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||
@@ -22,6 +22,7 @@
|
||||
- /usr/sbin/aureport
|
||||
- /usr/sbin/ausearch
|
||||
- /usr/sbin/autrace
|
||||
+ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}}
|
||||
|
||||
- name: Ensure existing AIDE configuration for audit tools are correct
|
||||
lineinfile:
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
index d0a1ba2522f..a81e25c3950 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||
@@ -18,12 +18,11 @@
|
||||
{{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}}
|
||||
{{% endif %}}
|
||||
|
||||
-{{% if product == 'ol8' %}}
|
||||
+{{% if product == 'ol8' or 'rhel' in product %}}
|
||||
{{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}}
|
||||
{{% endif %}}
|
||||
|
||||
{{% for file in auditfiles %}}
|
||||
-
|
||||
if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then
|
||||
sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}}
|
||||
else
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
index 6ce56c1137a..ca9bf4f94d0 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||
@@ -11,7 +11,7 @@
|
||||
{{% if 'rhel' not in product and product != 'ol8' %}}
|
||||
<criterion comment="audispd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_audispd" />
|
||||
{{% endif %}}
|
||||
- {{% if product == 'ol8' %}}
|
||||
+ {{% if product == 'ol8' or 'rhel' in product %}}
|
||||
<criterion comment="rsyslogd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_rsyslogd" />
|
||||
{{% endif %}}
|
||||
<criterion comment="augenrules is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_augenrules" />
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
index 756b88d8a23..071dde13295 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||
@@ -7,7 +7,7 @@ aide --init
|
||||
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
index f3a2a126d3d..cb9bbfa7350 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||
@@ -4,7 +4,7 @@
|
||||
yum -y install aide
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
index 4315cef2073..a22aecb0000 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||
@@ -6,7 +6,7 @@ yum -y install aide
|
||||
aide --init
|
||||
|
||||
declare -a bins
|
||||
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||
|
||||
for theFile in "${bins[@]}"
|
||||
do
|
File diff suppressed because one or more lines are too long
@ -1,187 +0,0 @@
|
||||
From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 1 Aug 2022 17:50:37 +0200
|
||||
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding
|
||||
|
||||
This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
|
||||
sysctl_net_ipv4_forward.
|
||||
---
|
||||
.../rule.yml | 44 +++++++++++++++++++
|
||||
...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
3 files changed, 61 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..7b0066f7c29
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||
@@ -0,0 +1,44 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: rhel8
|
||||
+
|
||||
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ IP forwarding permits the kernel to forward packets from one network
|
||||
+ interface to another. The ability to forward packets between two networks is
|
||||
+ only appropriate for systems acting as routers.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel8: CCE-86220-1
|
||||
+
|
||||
+references:
|
||||
+ disa: CCI-000366
|
||||
+ nist: CM-6(b)
|
||||
+ srg: SRG-OS-000480-GPOS-00227
|
||||
+ stigid@rhel8: RHEL-08-040259
|
||||
+
|
||||
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
|
||||
+ The ability to forward packets is only appropriate for routers.
|
||||
+
|
||||
+fixtext: |-
|
||||
+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
|
||||
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
|
||||
+
|
||||
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: net.ipv4.conf.all.forwarding
|
||||
+ datatype: int
|
||||
+
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
new file mode 100644
|
||||
index 00000000000..2aedd6e6432
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||
@@ -0,0 +1,17 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: net.ipv4.conf.all.forwarding
|
||||
+
|
||||
+description: 'Toggle IPv4 Forwarding'
|
||||
+
|
||||
+type: number
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+interactive: false
|
||||
+
|
||||
+options:
|
||||
+ default: "0"
|
||||
+ disabled: "0"
|
||||
+ enabled: 1
|
||||
+
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index 914233f06bf..3e14b73dd71 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -168,7 +168,6 @@ CCE-86216-9
|
||||
CCE-86217-7
|
||||
CCE-86218-5
|
||||
CCE-86219-3
|
||||
-CCE-86220-1
|
||||
CCE-86221-9
|
||||
CCE-86222-7
|
||||
CCE-86223-5
|
||||
|
||||
From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 1 Aug 2022 17:53:32 +0200
|
||||
Subject: [PATCH 2/2] Better align with RHEL-08-040259
|
||||
|
||||
The item is about net.ipv4.conf.all.forwarding
|
||||
The update to V1R7 made brought this misalignment to light.
|
||||
---
|
||||
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
|
||||
products/rhel8/profiles/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
||||
4 files changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
index 5c449db7f3a..7acfc0b05b6 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||
@@ -45,7 +45,6 @@ references:
|
||||
stigid@ol7: OL07-00-040740
|
||||
stigid@ol8: OL08-00-040260
|
||||
stigid@rhel7: RHEL-07-040740
|
||||
- stigid@rhel8: RHEL-08-040259
|
||||
stigid@sle12: SLES-12-030430
|
||||
stigid@sle15: SLES-15-040380
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 4b480bd2c11..6b44436a2b1 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -1127,7 +1127,7 @@ selections:
|
||||
- sysctl_net_ipv6_conf_default_accept_source_route
|
||||
|
||||
# RHEL-08-040259
|
||||
- - sysctl_net_ipv4_ip_forward
|
||||
+ - sysctl_net_ipv4_conf_all_forwarding
|
||||
|
||||
# RHEL-08-040260
|
||||
- sysctl_net_ipv6_conf_all_forwarding
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 4bee72830d0..47f53a9d023 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -1,7 +1,7 @@
|
||||
title: DISA STIG for Red Hat Enterprise Linux 8
|
||||
description: 'This profile contains configuration checks that align to the
|
||||
|
||||
- DISA STIG for Red Hat Enterprise Linux 8 V1R7
|
||||
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7.
|
||||
|
||||
|
||||
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
||||
@@ -395,13 +395,13 @@ selections:
|
||||
- sysctl_net_core_bpf_jit_harden
|
||||
- sysctl_net_ipv4_conf_all_accept_redirects
|
||||
- sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+- sysctl_net_ipv4_conf_all_forwarding
|
||||
- sysctl_net_ipv4_conf_all_rp_filter
|
||||
- sysctl_net_ipv4_conf_all_send_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_conf_default_send_redirects
|
||||
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||||
-- sysctl_net_ipv4_ip_forward
|
||||
- sysctl_net_ipv6_conf_all_accept_ra
|
||||
- sysctl_net_ipv6_conf_all_accept_redirects
|
||||
- sysctl_net_ipv6_conf_all_accept_source_route
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index ece32d06a6f..c4e60ddcde5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -405,13 +405,13 @@ selections:
|
||||
- sysctl_net_core_bpf_jit_harden
|
||||
- sysctl_net_ipv4_conf_all_accept_redirects
|
||||
- sysctl_net_ipv4_conf_all_accept_source_route
|
||||
+- sysctl_net_ipv4_conf_all_forwarding
|
||||
- sysctl_net_ipv4_conf_all_rp_filter
|
||||
- sysctl_net_ipv4_conf_all_send_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_redirects
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_conf_default_send_redirects
|
||||
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||||
-- sysctl_net_ipv4_ip_forward
|
||||
- sysctl_net_ipv6_conf_all_accept_ra
|
||||
- sysctl_net_ipv6_conf_all_accept_redirects
|
||||
- sysctl_net_ipv6_conf_all_accept_source_route
|
@ -1,89 +0,0 @@
|
||||
From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Tue, 9 Aug 2022 17:28:33 +0200
|
||||
Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG
|
||||
profile.
|
||||
|
||||
---
|
||||
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
|
||||
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 +
|
||||
products/rhel8/profiles/stig.profile | 14 +++++++-------
|
||||
tests/data/profile_stability/rhel8/stig.profile | 2 ++
|
||||
.../data/profile_stability/rhel8/stig_gui.profile | 2 ++
|
||||
5 files changed, 13 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
index 46ea0558a42..1e9c6172758 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
@@ -57,6 +57,7 @@ references:
|
||||
stigid@ol7: OL07-00-040320
|
||||
stigid@ol8: OL08-00-010201
|
||||
stigid@rhel7: RHEL-07-040320
|
||||
+ stigid@rhel8: RHEL-08-010201
|
||||
stigid@sle12: SLES-12-030190
|
||||
stigid@sle15: SLES-15-010280
|
||||
stigid@ubuntu2004: UBTU-20-010037
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
index 0f0693ddc6c..f6e98a61d9a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
@@ -53,6 +53,7 @@ references:
|
||||
stigid@ol7: OL07-00-040340
|
||||
stigid@ol8: OL08-00-010200
|
||||
stigid@rhel7: RHEL-07-040340
|
||||
+ stigid@rhel8: RHEL-08-010200
|
||||
stigid@sle12: SLES-12-030191
|
||||
stigid@sle15: SLES-15-010320
|
||||
vmmsrg: SRG-OS-000480-VMM-002000
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 6b44436a2b1..124b7520d3a 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -170,13 +170,13 @@ selections:
|
||||
# RHEL-08-010190
|
||||
- dir_perms_world_writable_sticky_bits
|
||||
|
||||
- # These two items don't behave as they used to in RHEL8.6 and RHEL9
|
||||
- # anymore. They will be disabled for now until an alternative
|
||||
- # solution is found.
|
||||
- # # RHEL-08-010200
|
||||
- # - sshd_set_keepalive_0
|
||||
- # # RHEL-08-010201
|
||||
- # - sshd_set_idle_timeout
|
||||
+ # Although these rules have a different behavior in RHEL>=8.6
|
||||
+ # they still need to be selected so it follows exactly what STIG
|
||||
+ # states.
|
||||
+ # RHEL-08-010200
|
||||
+ - sshd_set_keepalive_0
|
||||
+ # RHEL-08-010201
|
||||
+ - sshd_set_idle_timeout
|
||||
|
||||
# RHEL-08-010210
|
||||
- file_permissions_var_log_messages
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 47f53a9d023..6c75d0ae1b1 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -369,6 +369,8 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
+- sshd_set_idle_timeout
|
||||
+- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index c4e60ddcde5..8a7a469b940 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -379,6 +379,8 @@ selections:
|
||||
- sshd_enable_warning_banner
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
+- sshd_set_idle_timeout
|
||||
+- sshd_set_keepalive_0
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
@ -1,113 +0,0 @@
|
||||
From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 15:57:52 +0200
|
||||
Subject: [PATCH 1/2] Accept sudoers files without includes as compliant
|
||||
|
||||
Update rule sudoers_default_includedir to accept as compliant sudoers
|
||||
files that don't have any #include or #includedir directive
|
||||
---
|
||||
.../oval/shared.xml | 24 +++++++++++++++----
|
||||
.../sudo/sudoers_default_includedir/rule.yml | 8 ++++---
|
||||
...cludedir.fail.sh => no_includedir.pass.sh} | 2 +-
|
||||
3 files changed, 26 insertions(+), 8 deletions(-)
|
||||
rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
index 59cab0b89de..629fbe8c6d2 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -1,10 +1,16 @@
|
||||
<def-group>
|
||||
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
{{{ oval_metadata("Check if sudo includes only the default includedir") }}}
|
||||
- <criteria operator="AND">
|
||||
- <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ <criteria operator="OR">
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #includedir" test_ref="test_sudoers_without_includedir" />
|
||||
+ </criteria>
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ </criteria>
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
@@ -32,6 +38,16 @@
|
||||
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
+ comment="audit augenrules rmmod" id="test_sudoers_without_includedir" version="1">
|
||||
+ <ind:object object_ref="object_sudoers_without_includedir" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="object_sudoers_without_includedir" version="1">
|
||||
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^#includedir[\s]+.*$</ind:pattern>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
<ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||
comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
|
||||
<ind:object object_ref="object_sudoersd_without_includes" />
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
index aa2aaee19f8..83bfb0183bd 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||
@@ -8,9 +8,11 @@ description: |-
|
||||
Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
|
||||
other directories and configuration files from the file currently being parsed.
|
||||
|
||||
- Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
|
||||
- The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
- <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
|
||||
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,
|
||||
+ or that no drop-in file is included.
|
||||
+ Either the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;
|
||||
+ Or the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt> or <tt>#includedir</tt> directives.
|
||||
Note that the '#' character doesn't denote a comment in the configuration file.
|
||||
|
||||
rationale: |-
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
similarity index 51%
|
||||
rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
index 1e0ab8aea92..fe73cb25076 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
#!/bin/bash
|
||||
# platform = multi_platform_all
|
||||
|
||||
-sed -i "/#includedir.*/d" /etc/sudoers
|
||||
+sed -i "/#include(dir)?.*/d" /etc/sudoers
|
||||
|
||||
From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 12:01:12 +0200
|
||||
Subject: [PATCH 2/2] Improve definition's comments
|
||||
|
||||
---
|
||||
.../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
index 629fbe8c6d2..82095acc6ed 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||
@@ -8,8 +8,8 @@
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
|
||||
+ <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
|
||||
</criteria>
|
||||
</criteria>
|
||||
</definition>
|
@ -1,358 +0,0 @@
|
||||
From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 09:57:33 +0200
|
||||
Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values
|
||||
|
||||
This also removes value '0' from the list of possible configurations.
|
||||
This change aligns the rule better with STIG.
|
||||
---
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++
|
||||
.../tests/value_1.pass.sh | 10 ++++++++++
|
||||
.../tests/value_2.pass.sh | 10 ++++++++++
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
|
||||
4 files changed, 25 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index 496a8491f32..697f79fa872 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -59,4 +59,8 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: net.ipv4.conf.all.rp_filter
|
||||
+ sysctlval:
|
||||
+ - '1'
|
||||
+ - '2'
|
||||
+ wrong_sysctlval_for_testing: "0"
|
||||
datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..516bfaf1369
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
|
||||
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w net.ipv4.conf.all.rp_filter="1"
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..ef1b8da0479
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
|
||||
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w net.ipv4.conf.all.rp_filter="2"
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
index e3fc78e3f05..1eae854f6b0 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||
@@ -17,5 +17,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 1
|
||||
- disabled: "0"
|
||||
enabled: 1
|
||||
+ loose: 2
|
||||
|
||||
From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 10:53:40 +0200
|
||||
Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values
|
||||
|
||||
This also removes value '0' from the list of possible configurations.
|
||||
This change aligns the rule better with STIG.
|
||||
---
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++
|
||||
.../sysctl_kernel_kptr_restrict_value.var | 1 -
|
||||
4 files changed, 24 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index 1984b3c8691..5706eee0a0a 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -42,6 +42,10 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: kernel.kptr_restrict
|
||||
+ sysctlval:
|
||||
+ - '1'
|
||||
+ - '2'
|
||||
+ wrong_sysctlval_for_testing: "0"
|
||||
datatype: int
|
||||
|
||||
fixtext: |-
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..e6efae48b25
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
|
||||
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.kptr_restrict="1"
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..be3f2b743ef
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
|
||||
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.kptr_restrict="2"
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
index 452328e3efd..268550de53d 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||
@@ -12,6 +12,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 1
|
||||
- 0: 0
|
||||
1: 1
|
||||
2: 2
|
||||
|
||||
From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 11:08:34 +0200
|
||||
Subject: [PATCH 3/5] Remove variable selector that will result in error
|
||||
|
||||
The rule only accepts values 1 or 2 as compliant, the XCCDF Variable
|
||||
cannot have the value 0, it will never result in pass.
|
||||
---
|
||||
.../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
index b8bf965a255..cbfd9bafa91 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||
@@ -13,6 +13,5 @@ interactive: false
|
||||
|
||||
options:
|
||||
default: 2
|
||||
- 0: "0"
|
||||
1: "1"
|
||||
2: "2"
|
||||
|
||||
From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 11:33:03 +0200
|
||||
Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol
|
||||
|
||||
For now, the only STIGs I see that adopted this change were RHEL's and
|
||||
OL's.
|
||||
---
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 +
|
||||
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 +
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 2 ++
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 +
|
||||
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 +
|
||||
6 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index 697f79fa872..f04ae37c13d 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -59,8 +59,10 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: net.ipv4.conf.all.rp_filter
|
||||
+ {{% if 'ol' in product or 'rhel' in product %}}
|
||||
sysctlval:
|
||||
- '1'
|
||||
- '2'
|
||||
wrong_sysctlval_for_testing: "0"
|
||||
+ {{% endif %}}
|
||||
datatype: int
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
index 516bfaf1369..583b70a3b97 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
index ef1b8da0479..ef545976dc6 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index 5706eee0a0a..f53e035effa 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -42,10 +42,12 @@ template:
|
||||
name: sysctl
|
||||
vars:
|
||||
sysctlvar: kernel.kptr_restrict
|
||||
+ {{% if 'ol' in product or 'rhel' in product %}}
|
||||
sysctlval:
|
||||
- '1'
|
||||
- '2'
|
||||
wrong_sysctlval_for_testing: "0"
|
||||
+ {{% endif %}}
|
||||
datatype: int
|
||||
|
||||
fixtext: |-
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
index e6efae48b25..70189666c16 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
index be3f2b743ef..209395fa9a1 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||
@@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
+# platform = multi_platform_ol,multi_platform_rhel
|
||||
|
||||
# Clean sysctl config directories
|
||||
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
|
||||
From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 14:01:40 +0200
|
||||
Subject: [PATCH 5/5] Update OCIL check along with the rule
|
||||
|
||||
The OCIL should should mention both compliant values.
|
||||
---
|
||||
.../rule.yml | 29 +++++++++++++++++--
|
||||
.../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++-
|
||||
2 files changed, 55 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
index f04ae37c13d..4d31c6c3ebd 100644
|
||||
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||
@@ -47,11 +47,36 @@ references:
|
||||
stigid@rhel7: RHEL-07-040611
|
||||
stigid@rhel8: RHEL-08-040285
|
||||
|
||||
-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
|
||||
+ocil: |-
|
||||
+ The runtime status of the <code>net.ipv4.conf.all.rp_filter</code> parameter can be queried
|
||||
+ by running the following command:
|
||||
+ <pre>$ sysctl net.ipv4.conf.all.rp_filter</pre>
|
||||
+ The output of the command should indicate either:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 1</code>
|
||||
+ or:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 2</code>
|
||||
+ The output of the command should not indicate:
|
||||
+ <code>net.ipv4.conf.all.rp_filter = 0</code>
|
||||
+
|
||||
+ The preferable way how to assure the runtime compliance is to have
|
||||
+ correct persistent configuration, and rebooting the system.
|
||||
+
|
||||
+ The persistent sysctl parameter configuration is performed by specifying the appropriate
|
||||
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
|
||||
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
||||
+ <pre>$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
|
||||
+ The command should not find any assignments other than:
|
||||
+ net.ipv4.conf.all.rp_filter = 1
|
||||
+ or:
|
||||
+ net.ipv4.conf.all.rp_filter = 2
|
||||
+
|
||||
+ Conflicting assignments are not allowed.
|
||||
+
|
||||
+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"
|
||||
|
||||
fixtext: |-
|
||||
Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.
|
||||
- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}
|
||||
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}
|
||||
|
||||
srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
index f53e035effa..367934b5672 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||
@@ -34,6 +34,33 @@ references:
|
||||
|
||||
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
|
||||
|
||||
+ocil: |-
|
||||
+ The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried
|
||||
+ by running the following command:
|
||||
+ <pre>$ sysctl kernel.kptr_restrict</pre>
|
||||
+ The output of the command should indicate either:
|
||||
+ <code>kernel.kptr_restrict = 1</code>
|
||||
+ or:
|
||||
+ <code>kernel.kptr_restrict = 2</code>
|
||||
+ The output of the command should not indicate:
|
||||
+ <code>kernel.kptr_restrict = 0</code>
|
||||
+
|
||||
+ The preferable way how to assure the runtime compliance is to have
|
||||
+ correct persistent configuration, and rebooting the system.
|
||||
+
|
||||
+ The persistent kernel parameter configuration is performed by specifying the appropriate
|
||||
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
|
||||
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
||||
+ <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
|
||||
+ The command should not find any assignments other than:
|
||||
+ kernel.kptr_restrict = 1
|
||||
+ or:
|
||||
+ kernel.kptr_restrict = 2
|
||||
+
|
||||
+ Conflicting assignments are not allowed.
|
||||
+
|
||||
+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
|
||||
+
|
||||
srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
|
||||
|
||||
platform: machine
|
||||
@@ -52,4 +79,4 @@ template:
|
||||
|
||||
fixtext: |-
|
||||
Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
|
||||
- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
|
||||
+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}
|
File diff suppressed because it is too large
Load Diff
@ -1,92 +0,0 @@
|
||||
From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 8 Aug 2022 14:34:34 +0200
|
||||
Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about
|
||||
configuring queues
|
||||
|
||||
---
|
||||
.../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index 4ce56d2e6a5..c73d9ec95a6 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -90,3 +90,20 @@ fixtext: |-
|
||||
*.* @@[remoteloggingserver]:[port]"
|
||||
|
||||
srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.'
|
||||
+
|
||||
+warnings:
|
||||
+ - functionality: |-
|
||||
+ It is important to configure queues in case the client is sending log
|
||||
+ messages to a remote server. If queues are not configured, there is a
|
||||
+ danger that the system will stop functioning in case that the connection
|
||||
+ to the remote server is not available. Please consult Rsyslog
|
||||
+ documentation for more information about configuration of queues. The
|
||||
+ example configuration which should go into <tt>/etc/rsyslog.conf</tt>
|
||||
+ can look like the following lines:
|
||||
+ <pre>
|
||||
+ $ActionQueueType LinkedList
|
||||
+ $ActionQueueFileName somenameforprefix
|
||||
+ $ActionQueueMaxDiskSpace 1g
|
||||
+ $ActionQueueSaveOnShutdown on
|
||||
+ $ActionResumeRetryCount -1
|
||||
+ </pre>
|
||||
|
||||
From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Tue, 9 Aug 2022 09:41:00 +0200
|
||||
Subject: [PATCH 2/3] Apply suggestions from code review
|
||||
|
||||
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
||||
---
|
||||
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index c73d9ec95a6..706d3265a08 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -95,14 +95,14 @@ warnings:
|
||||
- functionality: |-
|
||||
It is important to configure queues in case the client is sending log
|
||||
messages to a remote server. If queues are not configured, there is a
|
||||
- danger that the system will stop functioning in case that the connection
|
||||
+ the system will stop functioning when the connection
|
||||
to the remote server is not available. Please consult Rsyslog
|
||||
documentation for more information about configuration of queues. The
|
||||
example configuration which should go into <tt>/etc/rsyslog.conf</tt>
|
||||
can look like the following lines:
|
||||
<pre>
|
||||
$ActionQueueType LinkedList
|
||||
- $ActionQueueFileName somenameforprefix
|
||||
+ $ActionQueueFileName queuefilename
|
||||
$ActionQueueMaxDiskSpace 1g
|
||||
$ActionQueueSaveOnShutdown on
|
||||
$ActionResumeRetryCount -1
|
||||
|
||||
From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
|
||||
From: vojtapolasek <krecoun@gmail.com>
|
||||
Date: Tue, 9 Aug 2022 10:55:04 +0200
|
||||
Subject: [PATCH 3/3] Update
|
||||
linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
|
||||
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
||||
---
|
||||
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
index 706d3265a08..cce4d5cac1d 100644
|
||||
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||
@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
|
||||
warnings:
|
||||
- functionality: |-
|
||||
It is important to configure queues in case the client is sending log
|
||||
- messages to a remote server. If queues are not configured, there is a
|
||||
+ messages to a remote server. If queues are not configured,
|
||||
the system will stop functioning when the connection
|
||||
to the remote server is not available. Please consult Rsyslog
|
||||
documentation for more information about configuration of queues. The
|
@ -1,472 +0,0 @@
|
||||
From 3fba5ec874f0269d81af9bca90e524703980345d Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 15:46:12 +0100
|
||||
Subject: [PATCH 1/5] Update ocil and fixtext in fapolicy_default_deny
|
||||
|
||||
Rules are stored in different places depending on the system version.
|
||||
These changes are now explicit in ocil and fixtext. In RHEL8.6 it was
|
||||
introduced the rules.d feature and together the fagenrules script which
|
||||
reads and concatenate the rules from rules.d to finally save the result
|
||||
in the /etc/fapolicyd/compiled.rules file.
|
||||
---
|
||||
.../services/fapolicyd/fapolicy_default_deny/rule.yml | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
index 5b9a1649571..eeecd34e69a 100644
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
@@ -39,10 +39,14 @@ ocil: |-
|
||||
|
||||
permissive = 0
|
||||
|
||||
- Check that fapolicyd employs a deny-all policy on system mounts with the following command:
|
||||
+ Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
|
||||
|
||||
+ For RHEL 8.5 systems and older:
|
||||
$ sudo tail /etc/fapolicyd/fapolicyd.rules
|
||||
|
||||
+ For RHEL 8.6 systems and newer:
|
||||
+ $ sudo tail /etc/fapolicyd/compiled.rules
|
||||
+
|
||||
allow exe=/usr/bin/python3.7 : ftype=text/x-python
|
||||
deny_audit perm=any pattern=ld_so : all
|
||||
deny perm=any all : all
|
||||
@@ -54,8 +58,12 @@ fixtext: |-
|
||||
|
||||
permissive = 1
|
||||
|
||||
+ For RHEL 8.5 systems and older:
|
||||
Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
|
||||
|
||||
+ For RHEL 8.6 systems and newer:
|
||||
+ Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
|
||||
+
|
||||
Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
|
||||
|
||||
permissive = 0
|
||||
|
||||
From 0b4eaa7e7d96600eef42ad45524e0b4c6e003990 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 17 Nov 2022 09:40:20 +0100
|
||||
Subject: [PATCH 2/5] Refactored the OVAL assessment for fapolicy_default_deny
|
||||
|
||||
Firsly the existing checks were aligned to the style guides and the
|
||||
comments were reviewed. The regex used to identify the expected policy
|
||||
was also fixed since it wasn't ensuring the deny policy if defined in a
|
||||
wrong position. Finally, it was extended the assessment to consider the
|
||||
/etc/fapolicyd/compiled.rules file.
|
||||
---
|
||||
.../fapolicy_default_deny/oval/shared.xml | 64 +++++++++++++------
|
||||
1 file changed, 43 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
|
||||
index 9989459ad22..40bdcf870ca 100644
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
|
||||
@@ -4,36 +4,58 @@
|
||||
oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
|
||||
}}}
|
||||
<criteria>
|
||||
- <criterion comment="fapolicyd employs a deny-all policy"
|
||||
- test_ref="test_fapolicy_default_deny_policy" />
|
||||
- <criterion comment="fapolicyd is in enforcement mode"
|
||||
- test_ref="test_fapolicy_default_deny_enforcement" />
|
||||
+ <criteria operator="OR">
|
||||
+ <criterion comment="fapolicyd employs a deny-all policy in compiled.rules file"
|
||||
+ test_ref="test_fapolicy_default_deny_policy_with_rulesd"/>
|
||||
+ <criterion comment="fapolicyd employs a deny-all policy fapolicyd.rules file"
|
||||
+ test_ref="test_fapolicy_default_deny_policy_without_rulesd"/>
|
||||
+ </criteria>
|
||||
+ <criterion comment="fapolicyd is in enforcement mode"
|
||||
+ test_ref="test_fapolicy_default_deny_enforcement"/>
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test check_existence="only_one_exists" check="all"
|
||||
- comment="fapolicyd employs a deny-all policy"
|
||||
- id="test_fapolicy_default_deny_policy" version="1">
|
||||
- <ind:object object_ref="obj_fapolicy_default_deny_policy" />
|
||||
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_policy_with_rulesd" version="1"
|
||||
+ check_existence="only_one_exists" check="all"
|
||||
+ comment="fapolicyd employs a deny-all policy in compiled.rules file">
|
||||
+ <ind:object object_ref="object_fapolicy_default_deny_policy_compiled_rules"/>
|
||||
</ind:textfilecontent54_test>
|
||||
- <ind:textfilecontent54_object id="obj_fapolicy_default_deny_policy" version="1">
|
||||
- <ind:behaviors multiline="false" />
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_policy_compiled_rules"
|
||||
+ version="1">
|
||||
+ <ind:filepath>/etc/fapolicyd/compiled.rules</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_policy_without_rulesd" version="2"
|
||||
+ check_existence="only_one_exists" check="all"
|
||||
+ comment="fapolicyd employs a deny-all policy in fapolicyd.rules file">
|
||||
+ <ind:object object_ref="object_fapolicy_default_deny_policy_fapolicyd_rules"/>
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_policy_fapolicyd_rules"
|
||||
+ version="2">
|
||||
<ind:filepath>/etc/fapolicyd/fapolicyd.rules</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">(^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$</ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
- <ind:textfilecontent54_test check_existence="all_exist" check="all"
|
||||
- comment="fapolicyd is in enforcement mode"
|
||||
- id="test_fapolicy_default_deny_enforcement" version="1">
|
||||
- <ind:object object_ref="obj_fapolicy_default_deny_enforcement" />
|
||||
- <ind:state state_ref="state_fapolicy_default_deny_enforcement" />
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_enforcement" version="2"
|
||||
+ check_existence="all_exist" check="all"
|
||||
+ comment="permissive mode is disabled in fapolicyd settings">
|
||||
+ <ind:object object_ref="object_fapolicy_default_deny_permissive_mode" />
|
||||
+ <ind:state state_ref="state_fapolicy_default_deny_permissive_mode_off" />
|
||||
</ind:textfilecontent54_test>
|
||||
- <ind:textfilecontent54_object id="obj_fapolicy_default_deny_enforcement" version="1">
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_permissive_mode" version="2">
|
||||
<ind:filepath>/etc/fapolicyd/fapolicyd.conf</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^\s*permissive\s*=\s*(\d+)</ind:pattern>
|
||||
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
- <ind:textfilecontent54_state id="state_fapolicy_default_deny_enforcement" version="1" comment="root email alias">
|
||||
- <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
|
||||
- </ind:textfilecontent54_state>
|
||||
+
|
||||
+ <ind:textfilecontent54_state id="state_fapolicy_default_deny_permissive_mode_off" version="2"
|
||||
+ comment="permissive mode value is set to 0 (off) in fapolicyd settings file">
|
||||
+ <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
</def-group>
|
||||
|
||||
From a0fc2ee0b58404ca642804a8977eca6b77fb6807 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 17 Nov 2022 10:32:51 +0100
|
||||
Subject: [PATCH 3/5] Refactored the test scenario scripts
|
||||
|
||||
The scripts were invalid and wrongly reporting results. The main issue
|
||||
was in scripts which intended to create two lines in a file but were
|
||||
overwriting the entire file in the second command instead of append the
|
||||
second line. The scripts were also refactored to consider systems using
|
||||
the rules.d feature and also older systems which doesn't have the
|
||||
rules.d feature. Another issue was that "no_quotes" was false by default
|
||||
in the bash_shell_file_set macro, but the fapolicyd.conf doesn't expect
|
||||
quotes and this was causing inconsistency in the file, so the no_quotes
|
||||
was set to true when calling the macro from test scenarios. Finally the
|
||||
scripts names were better aligned to their respective scenarios.
|
||||
---
|
||||
.../tests/allow_policy.fail.sh | 18 ++++++++++++++++++
|
||||
.../tests/commented_value.fail.sh | 12 ------------
|
||||
.../tests/correct_value.pass.sh | 12 ------------
|
||||
.../tests/deny_not_last.fail.sh | 12 ------------
|
||||
.../tests/deny_policy.pass.sh | 18 ++++++++++++++++++
|
||||
.../tests/deny_policy_but_permissive.fail.sh | 16 ++++++++++++++++
|
||||
.../tests/deny_policy_commented.fail.sh | 18 ++++++++++++++++++
|
||||
.../tests/deny_policy_not_ensured.fail.sh | 18 ++++++++++++++++++
|
||||
.../tests/fapolicy_permissive.fail.sh | 5 -----
|
||||
.../tests/wrong_value.fail.sh | 11 -----------
|
||||
10 files changed, 88 insertions(+), 52 deletions(-)
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
|
||||
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
|
||||
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
|
||||
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
|
||||
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
|
||||
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..23d7e699056
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
|
||||
@@ -0,0 +1,18 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
|
||||
+
|
||||
+if [ -f /etc/fapolicyd/compiled.rules ]; then
|
||||
+ active_rules_file="/etc/fapolicyd/compiled.rules"
|
||||
+else
|
||||
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
|
||||
+fi
|
||||
+
|
||||
+truncate -s 0 $active_rules_file
|
||||
+
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
|
||||
+echo "allow perm=any all : all" >> $active_rules_file
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
|
||||
deleted file mode 100644
|
||||
index a8df835af76..00000000000
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,12 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# packages = fapolicyd
|
||||
-# remediation = none
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
|
||||
-
|
||||
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
|
||||
-
|
||||
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
|
||||
-echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
|
||||
deleted file mode 100644
|
||||
index c88406b0be4..00000000000
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
|
||||
+++ /dev/null
|
||||
@@ -1,12 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# packages = fapolicyd
|
||||
-# remediation = none
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
|
||||
-
|
||||
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
|
||||
-
|
||||
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
|
||||
-echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
|
||||
deleted file mode 100644
|
||||
index 59b16308563..00000000000
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,12 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# packages = fapolicyd
|
||||
-# remediation = none
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
|
||||
-
|
||||
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
|
||||
-
|
||||
-echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
|
||||
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..f3ff83ca602
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
|
||||
@@ -0,0 +1,18 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
|
||||
+
|
||||
+if [ -f /etc/fapolicyd/compiled.rules ]; then
|
||||
+ active_rules_file="/etc/fapolicyd/compiled.rules"
|
||||
+else
|
||||
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
|
||||
+fi
|
||||
+
|
||||
+truncate -s 0 $active_rules_file
|
||||
+
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
|
||||
+echo "deny perm=any all : all" >> $active_rules_file
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..caa401ca174
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
|
||||
@@ -0,0 +1,16 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
|
||||
+
|
||||
+if [ -f /etc/fapolicyd/compiled.rules ]; then
|
||||
+ active_rules_file="/etc/fapolicyd/compiled.rules"
|
||||
+else
|
||||
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
|
||||
+fi
|
||||
+
|
||||
+truncate -s 0 $active_rules_file
|
||||
+
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
|
||||
+echo "deny perm=any all : all" >> $active_rules_file
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..4e4bc430cec
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
|
||||
@@ -0,0 +1,18 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
|
||||
+
|
||||
+if [ -f /etc/fapolicyd/compiled.rules ]; then
|
||||
+ active_rules_file="/etc/fapolicyd/compiled.rules"
|
||||
+else
|
||||
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
|
||||
+fi
|
||||
+
|
||||
+truncate -s 0 $active_rules_file
|
||||
+
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
|
||||
+echo "# deny perm=any all : all" >> $active_rules_file
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b52e5446afc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
|
||||
@@ -0,0 +1,18 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
|
||||
+
|
||||
+if [ -f /etc/fapolicyd/compiled.rules ]; then
|
||||
+ active_rules_file="/etc/fapolicyd/compiled.rules"
|
||||
+else
|
||||
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
|
||||
+fi
|
||||
+
|
||||
+truncate -s 0 $active_rules_file
|
||||
+
|
||||
+echo "deny perm=any all : all" >> $active_rules_file
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
|
||||
deleted file mode 100644
|
||||
index 50756a0e7a3..00000000000
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,5 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# packages = fapolicyd
|
||||
-# remediation = none
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
|
||||
deleted file mode 100644
|
||||
index da3e33f57fd..00000000000
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
|
||||
+++ /dev/null
|
||||
@@ -1,11 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-# packages = fapolicyd
|
||||
-# remediation = none
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
|
||||
-
|
||||
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
|
||||
-
|
||||
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
|
||||
-
|
||||
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
|
||||
From 0b731cf7a0433111311ab5e427a54d2f6c1b9d14 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 17 Nov 2022 11:02:34 +0100
|
||||
Subject: [PATCH 4/5] Fixed bash_shell_file_set macro to consider spaces
|
||||
|
||||
Once the test scenario scripts were fixed, an issue was revelead in
|
||||
bash_shell_file_set macro. The macro was not considering config files
|
||||
which have spaces before and after the separator carachter. Since the
|
||||
separator_regex parameter already expects regex format, it was easily
|
||||
extended.
|
||||
---
|
||||
shared/macros/10-bash.jinja | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
|
||||
index ae0f0e5e6ad..0e369314645 100644
|
||||
--- a/shared/macros/10-bash.jinja
|
||||
+++ b/shared/macros/10-bash.jinja
|
||||
@@ -122,13 +122,13 @@ fi
|
||||
{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
|
||||
{{% if no_quotes -%}}
|
||||
{{% if "$" in value %}}
|
||||
- {{% set value = '%s' % value.replace("$", "\\$") %}}
|
||||
+ {{% set value = '%s' % value.replace("$", "\\$") %}}
|
||||
{{% endif %}}
|
||||
{{%- else -%}}
|
||||
{{% if "$" in value %}}
|
||||
- {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
|
||||
+ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
|
||||
{{% else %}}
|
||||
- {{% set value = "'%s'" % value %}}
|
||||
+ {{% set value = "'%s'" % value %}}
|
||||
{{% endif %}}
|
||||
{{%- endif -%}}
|
||||
{{{ set_config_file(
|
||||
@@ -140,7 +140,7 @@ fi
|
||||
insert_before="^#\s*" ~ parameter,
|
||||
insensitive=false,
|
||||
separator="=",
|
||||
- separator_regex="=",
|
||||
+ separator_regex="\s*=\s*",
|
||||
prefix_regex="^\s*")
|
||||
}}}
|
||||
{{%- endmacro -%}}
|
||||
|
||||
From 3a8101e921f7b0b5e261fdbf4b42bf210fcccf78 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Fri, 18 Nov 2022 09:58:47 +0100
|
||||
Subject: [PATCH 5/5] Use jinja to limit the RHEL 8 minor version text
|
||||
|
||||
The change is intended to avoid that RHEL 9 and OL get RHEL 8 minor
|
||||
version text.
|
||||
---
|
||||
.../guide/services/fapolicyd/fapolicy_default_deny/rule.yml | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
index eeecd34e69a..220801bc471 100644
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
@@ -41,10 +41,12 @@ ocil: |-
|
||||
|
||||
Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
|
||||
|
||||
+ {{%- if product in ["rhel8"] %}}
|
||||
For RHEL 8.5 systems and older:
|
||||
$ sudo tail /etc/fapolicyd/fapolicyd.rules
|
||||
|
||||
For RHEL 8.6 systems and newer:
|
||||
+ {{%- endif %}}
|
||||
$ sudo tail /etc/fapolicyd/compiled.rules
|
||||
|
||||
allow exe=/usr/bin/python3.7 : ftype=text/x-python
|
||||
@@ -58,10 +60,12 @@ fixtext: |-
|
||||
|
||||
permissive = 1
|
||||
|
||||
+ {{%- if product in ["rhel8"] %}}
|
||||
For RHEL 8.5 systems and older:
|
||||
Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
|
||||
|
||||
For RHEL 8.6 systems and newer:
|
||||
+ {{%- endif %}}
|
||||
Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
|
||||
|
||||
Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
|
@ -1,41 +0,0 @@
|
||||
From 7e2c7cc70acfdd71c64a8d9c0b6ea365a65ac1d5 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 14:01:17 +0100
|
||||
Subject: [PATCH 2/2] accounts_password: Add tests for conflicting and
|
||||
duplicate values
|
||||
|
||||
Add tests for conflicting and duplicate values
|
||||
---
|
||||
.../accounts_password/tests/conflicting_values.fail.sh | 8 ++++++++
|
||||
.../accounts_password/tests/duplicated_values.pass.sh | 7 +++++++
|
||||
2 files changed, 15 insertions(+)
|
||||
create mode 100644 shared/templates/accounts_password/tests/conflicting_values.fail.sh
|
||||
create mode 100644 shared/templates/accounts_password/tests/duplicated_values.pass.sh
|
||||
|
||||
diff --git a/shared/templates/accounts_password/tests/conflicting_values.fail.sh b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..3517ff43083
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
|
||||
@@ -0,0 +1,8 @@
|
||||
+#!/bin/bash
|
||||
+# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
|
||||
+
|
||||
+truncate -s 0 /etc/security/pwquality.conf
|
||||
+
|
||||
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
|
||||
+
|
||||
+echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> /etc/security/pwquality.conf
|
||||
diff --git a/shared/templates/accounts_password/tests/duplicated_values.pass.sh b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..e7b7f957d3d
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
|
||||
@@ -0,0 +1,7 @@
|
||||
+#!/bin/bash
|
||||
+# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
|
||||
+
|
||||
+truncate -s 0 /etc/security/pwquality.conf
|
||||
+
|
||||
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
|
||||
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
|
@ -1,185 +0,0 @@
|
||||
From 38edb566365afd64632ad12d532ccbafcb7b422b Mon Sep 17 00:00:00 2001
|
||||
From: Edgar Aguilar <edgar.aguilar@oracle.com>
|
||||
Date: Thu, 28 Jul 2022 13:51:27 -0500
|
||||
Subject: [PATCH] Add OVAL to fapolicy_default_deny
|
||||
|
||||
Add the rule fapolicy_default_deny to OL8 STIG profile, which covers
|
||||
requirement OL08-00-040137. Include tests to validate OVAL
|
||||
|
||||
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
|
||||
---
|
||||
.../fapolicy_default_deny/oval/shared.xml | 39 +++++++++++++++++++
|
||||
.../fapolicyd/fapolicy_default_deny/rule.yml | 3 +-
|
||||
.../tests/commented_value.fail.sh | 12 ++++++
|
||||
.../tests/correct_value.pass.sh | 12 ++++++
|
||||
.../tests/deny_not_last.fail.sh | 12 ++++++
|
||||
.../tests/fapolicy_permissive.fail.sh | 5 +++
|
||||
.../tests/wrong_value.fail.sh | 11 ++++++
|
||||
products/ol8/profiles/stig.profile | 1 +
|
||||
8 files changed, 94 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
|
||||
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..9989459ad22
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
|
||||
@@ -0,0 +1,39 @@
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
+ {{{
|
||||
+ oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
|
||||
+ }}}
|
||||
+ <criteria>
|
||||
+ <criterion comment="fapolicyd employs a deny-all policy"
|
||||
+ test_ref="test_fapolicy_default_deny_policy" />
|
||||
+ <criterion comment="fapolicyd is in enforcement mode"
|
||||
+ test_ref="test_fapolicy_default_deny_enforcement" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <ind:textfilecontent54_test check_existence="only_one_exists" check="all"
|
||||
+ comment="fapolicyd employs a deny-all policy"
|
||||
+ id="test_fapolicy_default_deny_policy" version="1">
|
||||
+ <ind:object object_ref="obj_fapolicy_default_deny_policy" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="obj_fapolicy_default_deny_policy" version="1">
|
||||
+ <ind:behaviors multiline="false" />
|
||||
+ <ind:filepath>/etc/fapolicyd/fapolicyd.rules</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">(^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$</ind:pattern>
|
||||
+ <ind:instance datatype="int">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+ <ind:textfilecontent54_test check_existence="all_exist" check="all"
|
||||
+ comment="fapolicyd is in enforcement mode"
|
||||
+ id="test_fapolicy_default_deny_enforcement" version="1">
|
||||
+ <ind:object object_ref="obj_fapolicy_default_deny_enforcement" />
|
||||
+ <ind:state state_ref="state_fapolicy_default_deny_enforcement" />
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:textfilecontent54_object id="obj_fapolicy_default_deny_enforcement" version="1">
|
||||
+ <ind:filepath>/etc/fapolicyd/fapolicyd.conf</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^\s*permissive\s*=\s*(\d+)</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+ <ind:textfilecontent54_state id="state_fapolicy_default_deny_enforcement" version="1" comment="root email alias">
|
||||
+ <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
index e6837e5d7bd..5b9a1649571 100644
|
||||
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhel9
|
||||
+prodtype: ol8,ol9,rhel8,rhel9
|
||||
|
||||
title: 'Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.'
|
||||
|
||||
@@ -25,6 +25,7 @@ references:
|
||||
disa: CCI-001764
|
||||
nist: CM-7 (2),CM-7 (5) (b),CM-6 b
|
||||
srg: SRG-OS-000368-GPOS-00154,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00232
|
||||
+ stigid@ol8: OL08-00-040137
|
||||
stigid@rhel8: RHEL-08-040137
|
||||
|
||||
ocil_clause: 'fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy'
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..a8df835af76
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
|
||||
+
|
||||
+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
|
||||
+
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
|
||||
+echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..c88406b0be4
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
|
||||
+
|
||||
+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
|
||||
+
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
|
||||
+echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..59b16308563
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
|
||||
+
|
||||
+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
|
||||
+
|
||||
+echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..50756a0e7a3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..da3e33f57fd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+# packages = fapolicyd
|
||||
+# remediation = none
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
|
||||
+
|
||||
+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
|
||||
+
|
||||
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
|
||||
+
|
||||
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
|
||||
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
|
||||
index 05f03d339e6..34a136b8489 100644
|
||||
--- a/products/ol8/profiles/stig.profile
|
||||
+++ b/products/ol8/profiles/stig.profile
|
||||
@@ -1069,6 +1069,7 @@ selections:
|
||||
- service_fapolicyd_enabled
|
||||
|
||||
# OL08-00-040137
|
||||
+ - fapolicy_default_deny
|
||||
|
||||
# OL08-00-040139
|
||||
- package_usbguard_installed
|
@ -1,61 +0,0 @@
|
||||
From dc37d3c376cd3f2a2178d82a928629b231662cf9 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.om>
|
||||
Date: Fri, 11 Nov 2022 12:05:28 +0100
|
||||
Subject: [PATCH] Align service_disabled template to service_enabled
|
||||
|
||||
---
|
||||
.../service_disabled/ansible.template | 32 +++++--------------
|
||||
1 file changed, 8 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
|
||||
index 5c70756b8af..752f6ac5099 100644
|
||||
--- a/shared/templates/service_disabled/ansible.template
|
||||
+++ b/shared/templates/service_disabled/ansible.template
|
||||
@@ -3,39 +3,17 @@
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
-{{%- if init_system == "systemd" %}}
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
block:
|
||||
+ - name: Gather the package facts
|
||||
+ package_facts:
|
||||
+ manager: auto
|
||||
+
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
- systemd:
|
||||
- name: "{{{ DAEMONNAME }}}.service"
|
||||
+ service:
|
||||
+ name: "{{{ DAEMONNAME }}}"
|
||||
enabled: "no"
|
||||
state: "stopped"
|
||||
masked: "yes"
|
||||
- ignore_errors: 'yes'
|
||||
-
|
||||
-- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
|
||||
- command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
|
||||
- args:
|
||||
- warn: False
|
||||
- register: socket_file_exists
|
||||
- changed_when: False
|
||||
- ignore_errors: True
|
||||
- check_mode: False
|
||||
-
|
||||
-- name: Disable socket {{{ SERVICENAME }}}
|
||||
- systemd:
|
||||
- name: "{{{ DAEMONNAME }}}.socket"
|
||||
- enabled: "no"
|
||||
- state: "stopped"
|
||||
- masked: "yes"
|
||||
- when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
|
||||
-{{% elif init_system == "upstart" %}}
|
||||
-- name: Stop {{{ SERVICENAME }}}
|
||||
- command: /sbin/service '{{{ DAEMONNAME }}}' stop
|
||||
-
|
||||
-- name: Switch off {{{ SERVICENAME }}}
|
||||
- command: /sbin/chkconfig --level 0123456 '{{{ DAEMONNAME }}}' off
|
||||
-{{%- else %}}
|
||||
-JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
|
||||
-{{%- endif %}}
|
||||
+ when:
|
||||
+ - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'
|
@ -1,217 +0,0 @@
|
||||
From c27ea9d1987545488b6bca12a9dafd149331b1f9 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.om>
|
||||
Date: Fri, 11 Nov 2022 12:27:11 +0100
|
||||
Subject: [PATCH 1/3] Remove deprecated warn parameter from Ansbile command
|
||||
module
|
||||
|
||||
---
|
||||
.../system/accounts/enable_authselect/ansible/shared.yml | 2 --
|
||||
.../audit_rules_privileged_commands/ansible/shared.yml | 2 --
|
||||
.../audit_rules_suid_privilege_function/ansible/shared.yml | 2 --
|
||||
.../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 6 ------
|
||||
.../rpm_verify_ownership/ansible/shared.yml | 6 ------
|
||||
.../rpm_verify_permissions/ansible/shared.yml | 6 ------
|
||||
.../ensure_redhat_gpgkey_installed/ansible/shared.yml | 2 --
|
||||
8 files changed, 28 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
|
||||
index afd658790f7..6a7324a7a64 100644
|
||||
--- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
|
||||
@@ -17,8 +17,6 @@
|
||||
cmd: rpm -qV pam
|
||||
register: result_altered_authselect
|
||||
ignore_errors: yes
|
||||
- args:
|
||||
- warn: False
|
||||
when:
|
||||
- result_authselect_select is failed
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
|
||||
index 68c8497c859..bb1fec9e2b8 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
|
||||
@@ -8,8 +8,6 @@
|
||||
shell: |
|
||||
set -o pipefail
|
||||
find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null
|
||||
- args:
|
||||
- warn: False
|
||||
executable: /bin/bash
|
||||
check_mode: no
|
||||
register: find_result
|
||||
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
|
||||
index b25361136af..c46cbbe3950 100644
|
||||
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
|
||||
@@ -49,8 +49,6 @@
|
||||
{{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011
|
||||
- name: Reload Auditd
|
||||
command: /usr/sbin/service auditd reload
|
||||
- args:
|
||||
- warn: false
|
||||
{{%- endif %}}
|
||||
when:
|
||||
- (augenrules_audit_rules_privilege_function_update_result.changed or
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
index 0241e804b30..0d66cb349c0 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
@@ -22,8 +22,6 @@
|
||||
|
||||
- name: "Read files with incorrect hash"
|
||||
command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module
|
||||
register: files_with_incorrect_hash
|
||||
changed_when: False
|
||||
failed_when: files_with_incorrect_hash.rc > 1
|
||||
@@ -32,8 +30,6 @@
|
||||
|
||||
- name: Create list of packages
|
||||
command: rpm -qf "{{ item }}"
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module
|
||||
with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
|
||||
register: list_of_packages
|
||||
changed_when: False
|
||||
@@ -44,8 +40,6 @@
|
||||
|
||||
- name: "Reinstall packages of files with incorrect hash"
|
||||
command: "{{ package_manager_reinstall_cmd }} '{{ item }}'"
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager
|
||||
with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
|
||||
when:
|
||||
- files_with_incorrect_hash.stdout_lines is defined
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
|
||||
index ed490498a1d..f43b9bcef1c 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
|
||||
@@ -5,8 +5,6 @@
|
||||
# disruption = medium
|
||||
- name: "Read list of files with incorrect ownership"
|
||||
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module
|
||||
register: files_with_incorrect_ownership
|
||||
failed_when: files_with_incorrect_ownership.rc > 1
|
||||
changed_when: False
|
||||
@@ -14,8 +12,6 @@
|
||||
|
||||
- name: Create list of packages
|
||||
command: rpm -qf "{{ item }}"
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module
|
||||
with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
|
||||
register: list_of_packages
|
||||
changed_when: False
|
||||
@@ -24,7 +20,5 @@
|
||||
|
||||
- name: "Correct file ownership with RPM"
|
||||
command: "rpm --quiet --setugids '{{ item }}'"
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module
|
||||
with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
|
||||
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
|
||||
index 419ef95a323..0bd8e7e8ad5 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
|
||||
@@ -5,8 +5,6 @@
|
||||
# disruption = medium
|
||||
- name: "Read list of files with incorrect permissions"
|
||||
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module
|
||||
register: files_with_incorrect_permissions
|
||||
failed_when: files_with_incorrect_permissions.rc > 1
|
||||
changed_when: False
|
||||
@@ -14,8 +12,6 @@
|
||||
|
||||
- name: Create list of packages
|
||||
command: rpm -qf "{{ item }}"
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module
|
||||
with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
|
||||
register: list_of_packages
|
||||
changed_when: False
|
||||
@@ -24,7 +20,5 @@
|
||||
|
||||
- name: "Correct file permissions with RPM"
|
||||
command: "rpm --setperms '{{ item }}'"
|
||||
- args:
|
||||
- warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module
|
||||
with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
|
||||
when: (files_with_incorrect_permissions.stdout_lines | length > 0)
|
||||
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
|
||||
index f6f590820e1..6ab9bdee767 100644
|
||||
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
|
||||
@@ -18,8 +18,6 @@
|
||||
{{%- else -%}}
|
||||
command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
||||
{{%- endif %}}
|
||||
- args:
|
||||
- warn: False
|
||||
changed_when: False
|
||||
register: gpg_fingerprints
|
||||
check_mode: no
|
||||
|
||||
From 5617aa675132782d53a8714738bd2187d9b2e3ab Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.om>
|
||||
Date: Tue, 15 Nov 2022 10:00:49 +0100
|
||||
Subject: [PATCH 2/3] Fix rpm_verify_* ansible remediations
|
||||
|
||||
---
|
||||
.../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +-
|
||||
.../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
index 0d66cb349c0..fd850def318 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
- name: "Set fact: Package manager reinstall command (yum)"
|
||||
set_fact:
|
||||
package_manager_reinstall_cmd: yum reinstall -y
|
||||
- when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")
|
||||
+ when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "OracleLinux")
|
||||
|
||||
- name: "Read files with incorrect hash"
|
||||
command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
|
||||
index f43b9bcef1c..5c39628ff4c 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
|
||||
@@ -19,6 +19,6 @@
|
||||
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
|
||||
|
||||
- name: "Correct file ownership with RPM"
|
||||
- command: "rpm --quiet --setugids '{{ item }}'"
|
||||
+ command: "rpm --setugids '{{ item }}'"
|
||||
with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
|
||||
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
|
||||
|
||||
From 957d0439e89ebe5c665aafa16e107c6611d83f6b Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.om>
|
||||
Date: Tue, 15 Nov 2022 17:20:02 +0100
|
||||
Subject: [PATCH 3/3] Make rpm_verify_hashes ansible remediation applicable on
|
||||
all RHELs
|
||||
|
||||
---
|
||||
.../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
index fd850def318..178a7711a54 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
|
||||
@@ -1,5 +1,5 @@
|
||||
# and the regex_findall does not filter out configuration files the same as bash remediation does
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
||||
# reboot = false
|
||||
# strategy = restrict
|
||||
# complexity = high
|
@ -1,50 +0,0 @@
|
||||
From 8c6d618070476bd81edd0524c895a3497fc902a6 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 17:48:55 +0100
|
||||
Subject: [PATCH] accounts_password_pam_retry: Add test for dupes and conflicts
|
||||
|
||||
Add test scenarios to ensure that conflicting values are failing
|
||||
and that duplicated rule are passing.
|
||||
---
|
||||
.../tests/pwquality_conf_conflicting_values.fail.sh | 12 ++++++++++++
|
||||
.../tests/pwquality_conf_duplicate_values.pass.sh | 12 ++++++++++++
|
||||
2 files changed, 24 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..16bd1171a46
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# variables = var_password_pam_retry=3
|
||||
+
|
||||
+source common.sh
|
||||
+
|
||||
+CONF_FILE="/etc/security/pwquality.conf"
|
||||
+retry_cnt=3
|
||||
+
|
||||
+truncate -s 0 $CONF_FILE
|
||||
+
|
||||
+echo "retry = 3" >> $CONF_FILE
|
||||
+echo "retry = 4" >> $CONF_FILE
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..da37627dbb3
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
|
||||
@@ -0,0 +1,12 @@
|
||||
+#!/bin/bash
|
||||
+# variables = var_password_pam_retry=3
|
||||
+
|
||||
+source common.sh
|
||||
+
|
||||
+CONF_FILE="/etc/security/pwquality.conf"
|
||||
+retry_cnt=3
|
||||
+
|
||||
+truncate -s 0 $CONF_FILE
|
||||
+
|
||||
+echo "retry = 3" >> $CONF_FILE
|
||||
+echo "retry = 3" >> $CONF_FILE
|
@ -1,81 +0,0 @@
|
||||
From ddf34ef7c71b79ca12ccfcd00eada2c08c34d2c9 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.om>
|
||||
Date: Mon, 14 Nov 2022 17:16:53 +0100
|
||||
Subject: [PATCH 1/2] Revert "Align service_disabled template to
|
||||
service_enabled"
|
||||
|
||||
This reverts commit dc37d3c376cd3f2a2178d82a928629b231662cf9.
|
||||
---
|
||||
.../service_disabled/ansible.template | 32 ++++++++++++++-----
|
||||
1 file changed, 24 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
|
||||
index 752f6ac5099..5c70756b8af 100644
|
||||
--- a/shared/templates/service_disabled/ansible.template
|
||||
+++ b/shared/templates/service_disabled/ansible.template
|
||||
@@ -3,17 +3,33 @@
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
# disruption = low
|
||||
+{{%- if init_system == "systemd" %}}
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
block:
|
||||
- - name: Gather the package facts
|
||||
- package_facts:
|
||||
- manager: auto
|
||||
-
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
- service:
|
||||
- name: "{{{ DAEMONNAME }}}"
|
||||
+ systemd:
|
||||
+ name: "{{{ DAEMONNAME }}}.service"
|
||||
enabled: "no"
|
||||
state: "stopped"
|
||||
masked: "yes"
|
||||
- when:
|
||||
- - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'
|
||||
+ ignore_errors: 'yes'
|
||||
+
|
||||
+- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
|
||||
+ command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
|
||||
+ args:
|
||||
+ warn: False
|
||||
+ register: socket_file_exists
|
||||
+ changed_when: False
|
||||
+ ignore_errors: True
|
||||
+ check_mode: False
|
||||
+
|
||||
+- name: Disable socket {{{ SERVICENAME }}}
|
||||
+ systemd:
|
||||
+ name: "{{{ DAEMONNAME }}}.socket"
|
||||
+ enabled: "no"
|
||||
+ state: "stopped"
|
||||
+ masked: "yes"
|
||||
+ when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
|
||||
+{{%- else %}}
|
||||
+JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
|
||||
+{{%- endif %}}
|
||||
|
||||
From 8c20a2bc997c0a24eba2a9924d832954b9e91b6a Mon Sep 17 00:00:00 2001
|
||||
From: Milan Lysonek <mlysonek@redhat.om>
|
||||
Date: Mon, 14 Nov 2022 17:37:50 +0100
|
||||
Subject: [PATCH 2/2] Make service_disabled template compatible with Ansible
|
||||
2.14
|
||||
|
||||
---
|
||||
shared/templates/service_disabled/ansible.template | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
|
||||
index 5c70756b8af..72678e050cf 100644
|
||||
--- a/shared/templates/service_disabled/ansible.template
|
||||
+++ b/shared/templates/service_disabled/ansible.template
|
||||
@@ -16,8 +16,6 @@
|
||||
|
||||
- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
|
||||
command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
|
||||
- args:
|
||||
- warn: False
|
||||
register: socket_file_exists
|
||||
changed_when: False
|
||||
ignore_errors: True
|
File diff suppressed because it is too large
Load Diff
@ -1,95 +0,0 @@
|
||||
From 9a72c4cef2dd782e14f1534a52c45125671a828d Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 15:23:32 +0100
|
||||
Subject: [PATCH 2/4] Update remediation to skip .bash_profile file
|
||||
|
||||
This file can have the umask content but for a different purpose than
|
||||
this rule intention. It was ignored in order to avoid changing the bash
|
||||
history. Ansible and Bash were updated.
|
||||
---
|
||||
.../accounts_umask_interactive_users/ansible/shared.yml | 4 +++-
|
||||
.../accounts_umask_interactive_users/bash/shared.sh | 4 +++-
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
index 67064ac4a3b..3586ae69cbe 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
|
||||
@@ -9,6 +9,8 @@
|
||||
cmd: |
|
||||
for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
|
||||
for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
|
||||
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
|
||||
+ if [ "$(basename $file)" != ".bash_history" ]; then
|
||||
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
|
||||
+ fi
|
||||
done
|
||||
done
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
index d5f803db313..f524ff01f9a 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
|
||||
@@ -6,6 +6,8 @@
|
||||
|
||||
{{% call iterate_over_command_output("dir", "awk -F':' '{ if ($3 >= " ~ uid_min ~ " && $3 != 65534) print $6}' /etc/passwd") -%}}
|
||||
{{% call iterate_over_find_output("file", '$dir -maxdepth 1 -type f -name ".*"') -%}}
|
||||
-sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
|
||||
+if [ "$(basename $file)" != ".bash_history" ]; then
|
||||
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
|
||||
+fi
|
||||
{{%- endcall %}}
|
||||
{{%- endcall %}}
|
||||
|
||||
From d0dcfc06b31d08cb42151463473ba0b211c54e6a Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 15:26:04 +0100
|
||||
Subject: [PATCH 3/4] Include test scenario to test .bash_history treatment
|
||||
|
||||
---
|
||||
.../tests/bash_history_ignored.pass.sh | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..8eeffc233b2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+USER="cac_user"
|
||||
+useradd -m $USER
|
||||
+echo "umask 022" > /home/$USER/.bash_history
|
||||
|
||||
From c8dc63aad4fbe6df499192eda01d66e64bc8c9c3 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 15:27:26 +0100
|
||||
Subject: [PATCH 4/4] Extend OVAL check to ignore .bash_history file
|
||||
|
||||
This rule targets user files where the umask can be changed. It is not the
|
||||
case for .bash_history. In addition, it should be avoided to change the
|
||||
.bash_history file by this rule remediations.
|
||||
---
|
||||
.../accounts_umask_interactive_users/oval/shared.xml | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
||||
index 42dbdbbae46..6f3eaa570d7 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
|
||||
@@ -29,8 +29,14 @@
|
||||
<ind:filename operation="pattern match">^\..*</ind:filename>
|
||||
<ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ <filter action="exclude">state_accounts_umask_interactive_users_bash_history</filter>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_accounts_umask_interactive_users_bash_history"
|
||||
+ version="1">
|
||||
+ <ind:filename operation="pattern match">^\.bash_history</ind:filename>
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<!-- #### creation of test #### -->
|
||||
<ind:textfilecontent54_test id="test_accounts_umask_interactive_users" check="all"
|
||||
check_existence="none_exist" version="1"
|
@ -1,352 +0,0 @@
|
||||
From c4afa942edea4b26498dc223d4965fb722d919ed Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Nov 2022 13:53:14 +0100
|
||||
Subject: [PATCH 1/7] RHEL8 STIG v1R8 requires ClientAliveCountMax 1
|
||||
|
||||
Following update from V1R8, update the STIG profile to configure
|
||||
ClientAliveCountMax to 1.
|
||||
|
||||
This will timeout SSH connections when client alive messages are not
|
||||
received within ClientAliveInterval seconds.
|
||||
This serves the purpose of disconnecting sessions when the client has
|
||||
become unresponsive.
|
||||
---
|
||||
.../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 +
|
||||
.../services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 -
|
||||
products/rhel8/profiles/stig.profile | 4 ++--
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||||
index bc8ee914565..df0681f3f3a 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||||
@@ -55,6 +55,7 @@ references:
|
||||
pcidss: Req-8.1.8
|
||||
srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
|
||||
stigid@ol7: OL07-00-040340
|
||||
+ stigid@rhel8: RHEL-08-010200
|
||||
stigid@sle12: SLES-12-030191
|
||||
stigid@ubuntu2004: UBTU-20-010036
|
||||
vmmsrg: SRG-OS-000480-VMM-002000
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
index 024cb687382..a02fa8f40db 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
@@ -54,7 +54,6 @@ references:
|
||||
stigid@ol7: OL07-00-040340
|
||||
stigid@ol8: OL08-00-010200
|
||||
stigid@rhel7: RHEL-07-040340
|
||||
- stigid@rhel8: RHEL-08-010200
|
||||
stigid@sle12: SLES-12-030191
|
||||
stigid@sle15: SLES-15-010320
|
||||
vmmsrg: SRG-OS-000480-VMM-002000
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 96dfbf6b203..d184957f28c 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -50,7 +50,7 @@ selections:
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
- var_password_pam_minlen=15
|
||||
- # - var_sshd_set_keepalive=0
|
||||
+ - var_sshd_set_keepalive=1
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
@@ -174,7 +174,7 @@ selections:
|
||||
# they still need to be selected so it follows exactly what STIG
|
||||
# states.
|
||||
# RHEL-08-010200
|
||||
- - sshd_set_keepalive_0
|
||||
+ - sshd_set_keepalive
|
||||
# RHEL-08-010201
|
||||
- sshd_set_idle_timeout
|
||||
|
||||
|
||||
From a9f13cdff06ce7de53420b0ca65b3a8110eae85a Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Nov 2022 14:06:42 +0100
|
||||
Subject: [PATCH 2/7] Change verbiage on keepalive rules
|
||||
|
||||
Stop using the 'idle', that implies an idle user; And
|
||||
start using unresponsive, which better describes the state of network.
|
||||
---
|
||||
.../ssh/ssh_server/sshd_set_keepalive/rule.yml | 15 ++++++++-------
|
||||
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 6 +++---
|
||||
2 files changed, 11 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||||
index df0681f3f3a..7a27c134f1e 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
||||
@@ -7,14 +7,15 @@ description: |-
|
||||
during a SSH session and waits for a response from the SSH client.
|
||||
The option <tt>ClientAliveInterval</tt> configures timeout after
|
||||
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
|
||||
- receive a response from the client, then the connection is considered idle
|
||||
+ receive a response from the client, then the connection is considered unresponsive
|
||||
and terminated.
|
||||
For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt>
|
||||
- causes an idle timeout precisely when the <tt>ClientAliveInterval</tt> is set.
|
||||
+ causes a timeout precisely when the <tt>ClientAliveInterval</tt> is set.
|
||||
Starting with v8.2, a value of <tt>0</tt> disables the timeout functionality
|
||||
completely. If the option is set to a number greater than <tt>0</tt>, then
|
||||
- the idle session will be disconnected after
|
||||
- <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
|
||||
+ the session will be disconnected after
|
||||
+ <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds without receiving
|
||||
+ a keep alive message.
|
||||
|
||||
rationale: |-
|
||||
This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
|
||||
@@ -70,8 +71,8 @@ ocil: |-
|
||||
<pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
|
||||
If properly configured, the output should be:
|
||||
<pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
|
||||
- For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes an idle timeout precisely when
|
||||
+ For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes a timeout precisely when
|
||||
the <tt>ClientAliveInterval</tt> is set. Starting with v8.2, a value of <tt>0</tt> disables the timeout
|
||||
functionality completely.
|
||||
- If the option is set to a number greater than <tt>0</tt>, then the idle session will be disconnected after
|
||||
- <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
|
||||
+ If the option is set to a number greater than <tt>0</tt>, then the session will be disconnected after
|
||||
+ <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds witout receiving a keep alive message.
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
index a02fa8f40db..55011ab66a7 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||
@@ -10,10 +10,10 @@ description: |-
|
||||
during a SSH session and waits for a response from the SSH client.
|
||||
The option <tt>ClientAliveInterval</tt> configures timeout after
|
||||
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
|
||||
- receive a response from the client, then the connection is considered idle
|
||||
+ receive a response from the client, then the connection is considered unresponsive
|
||||
and terminated.
|
||||
|
||||
- To ensure the SSH idle timeout occurs precisely when the
|
||||
+ To ensure the SSH timeout occurs precisely when the
|
||||
<tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
|
||||
value of <tt>0</tt> in
|
||||
{{{ sshd_config_file() }}}
|
||||
@@ -73,7 +73,7 @@ ocil: |-
|
||||
If properly configured, the output should be:
|
||||
<pre>ClientAliveCountMax 0</pre>
|
||||
|
||||
- In this case, the SSH idle timeout occurs precisely when
|
||||
+ In this case, the SSH timeout occurs precisely when
|
||||
the <tt>ClientAliveInterval</tt> is set.
|
||||
|
||||
template:
|
||||
|
||||
From 587cec666b6379995e38a90bcd0ed86bbf4bd3e3 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Nov 2022 14:27:50 +0100
|
||||
Subject: [PATCH 3/7] Add tests to check for configuration conflicts
|
||||
|
||||
---
|
||||
.../sshd_set_keepalive/tests/param_conflict.fail.sh | 11 +++++++++++
|
||||
.../tests/param_conflict_directory.fail.sh | 13 +++++++++++++
|
||||
2 files changed, 24 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..54441cbb5b6
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+mkdir -p /etc/ssh/sshd_config.d
|
||||
+touch /etc/ssh/sshd_config.d/nothing
|
||||
+
|
||||
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+
|
||||
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
|
||||
+echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..aa6931cc243
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
||||
+
|
||||
+mkdir -p /etc/ssh/sshd_config.d
|
||||
+touch /etc/ssh/sshd_config.d/nothing
|
||||
+
|
||||
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+
|
||||
+echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf
|
||||
+echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf
|
||||
|
||||
From d07a7f33cc5dd486d5d56ce71b90118366b68091 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Nov 2022 17:09:16 +0100
|
||||
Subject: [PATCH 4/7] Check all instances of ClientAliveCountMax
|
||||
|
||||
The rule was only checking the first occurence of ClientAliveCountMax,
|
||||
but we need to check that all and any occurrences of
|
||||
ClientAliveCountMax are compliant.
|
||||
---
|
||||
.../services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
|
||||
index 5e07d982821..404c36c8dbc 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
|
||||
@@ -49,7 +49,7 @@
|
||||
<ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
|
||||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
|
||||
- <ind:instance datatype="int">1</ind:instance>
|
||||
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
{{%- if sshd_distributed_config == "true" %}}
|
||||
<ind:textfilecontent54_test check="all" check_existence="all_exist"
|
||||
|
||||
From d15ebb0b563895fbc2ab85c631410ea60bd02d95 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Nov 2022 17:40:26 +0100
|
||||
Subject: [PATCH 5/7] Add test to check for configuration conflicts
|
||||
|
||||
Add test for non distributed ssh config conflicts for
|
||||
ClientAliveInterval.
|
||||
---
|
||||
.../tests/param_conflict.fail.sh | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..1e14aa3da36
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
|
||||
@@ -0,0 +1,15 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+mkdir -p /etc/ssh/sshd_config.d
|
||||
+touch /etc/ssh/sshd_config.d/nothing
|
||||
+
|
||||
+if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+
|
||||
+echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config
|
||||
+echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config
|
||||
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
|
||||
|
||||
From c19d5400bd3ded71aae9175f27361065c962069e Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Nov 2022 17:41:19 +0100
|
||||
Subject: [PATCH 6/7] Change verbiage on idle timeout rule
|
||||
|
||||
The config is not really about idle user timeout, the config is about
|
||||
unresponsive network timeout.
|
||||
---
|
||||
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
index aa085894f61..c5606aac557 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||
@@ -1,12 +1,12 @@
|
||||
documentation_complete: true
|
||||
|
||||
-title: 'Set SSH Idle Timeout Interval'
|
||||
+title: 'Set SSH Client Alive Interval'
|
||||
|
||||
description: |-
|
||||
- SSH allows administrators to set an idle timeout interval. After this interval
|
||||
- has passed, the idle user will be automatically logged out.
|
||||
+ SSH allows administrators to set a network responsiveness timeout interval.
|
||||
+ After this interval has passed, the unresponsive client will be automatically logged out.
|
||||
<br /><br />
|
||||
- To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
|
||||
+ To set this timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
|
||||
follows:
|
||||
<pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
|
||||
<br/><br/>
|
||||
@@ -15,7 +15,7 @@ description: |-
|
||||
<br /><br />
|
||||
If a shorter timeout has already been set for the login shell, that value will
|
||||
preempt any SSH setting made in <tt>/etc/ssh/sshd_config</tt>. Keep in mind that
|
||||
- some processes may stop SSH from correctly detecting that the user is idle.
|
||||
+ some processes may stop SSH from correctly detecting that the user is idle.
|
||||
|
||||
rationale: |-
|
||||
Terminating an idle ssh session within a short time period reduces the window of
|
||||
@@ -81,7 +81,7 @@ ocil: |-
|
||||
|
||||
warnings:
|
||||
- dependency: |-
|
||||
- SSH disconnecting idle clients will not have desired effect without also
|
||||
+ SSH disconnecting unresponsive clients will not have desired effect without also
|
||||
configuring ClientAliveCountMax in the SSH service configuration.
|
||||
- general: |-
|
||||
Following conditions may prevent the SSH session to time out:
|
||||
|
||||
From 86b1a6147582c896e1bb49a0649493eeec37a8d4 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 9 Nov 2022 11:31:50 +0100
|
||||
Subject: [PATCH 7/7] Update profile stability test data
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/stig.profile | 3 ++-
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 3 ++-
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index cadc3f5fc7a..51971451996 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -371,7 +371,7 @@ selections:
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
- sshd_set_idle_timeout
|
||||
-- sshd_set_keepalive_0
|
||||
+- sshd_set_keepalive
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
@@ -441,6 +441,7 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
+- var_sshd_set_keepalive=1
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index bde4e18b068..fd150744167 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -381,7 +381,7 @@ selections:
|
||||
- sshd_print_last_log
|
||||
- sshd_rekey_limit
|
||||
- sshd_set_idle_timeout
|
||||
-- sshd_set_keepalive_0
|
||||
+- sshd_set_keepalive
|
||||
- sshd_use_strong_rng
|
||||
- sshd_x11_use_localhost
|
||||
- sssd_certificate_verification
|
||||
@@ -449,6 +449,7 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- var_password_pam_retry=3
|
||||
+- var_sshd_set_keepalive=1
|
||||
- sshd_approved_macs=stig
|
||||
- sshd_approved_ciphers=stig
|
||||
- sshd_idle_timeout_value=10_minutes
|
@ -1,142 +0,0 @@
|
||||
From e4bcce25933c474cb2358411e30917d30fdf6eb7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 10:13:16 +0100
|
||||
Subject: [PATCH 1/3] Add tests to check for RekeyLimit conflicts
|
||||
|
||||
---
|
||||
.../sshd_rekey_limit/tests/param_conflict.fail.sh | 13 +++++++++++++
|
||||
.../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++
|
||||
2 files changed, 28 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..0eb6aab6804
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+SSHD_PARAM="RekeyLimit"
|
||||
+
|
||||
+mkdir -p /etc/ssh/sshd_config.d
|
||||
+touch /etc/ssh/sshd_config.d/nothing
|
||||
+
|
||||
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+
|
||||
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
|
||||
+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..bc254a3a57c
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
|
||||
@@ -0,0 +1,15 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
||||
+
|
||||
+SSHD_PARAM="RekeyLimit"
|
||||
+
|
||||
+mkdir -p /etc/ssh/sshd_config.d
|
||||
+touch /etc/ssh/sshd_config.d/nothing
|
||||
+
|
||||
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+
|
||||
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config.d/good_config.conf
|
||||
+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config.d/bad_config.conf
|
||||
|
||||
From 2654d659b4dbe7eed9794005153ea3f147b27320 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 10:32:35 +0100
|
||||
Subject: [PATCH 2/3] Separate the SSHD parameter from the value
|
||||
|
||||
Separate the SSHD paramater RekeyLimit from the compliant values.
|
||||
This makes it possible to collect all occurrences of RekeyLimit and
|
||||
compare each of then with the compliant values.
|
||||
---
|
||||
.../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
index b2dd9039200..38c8a84aa3f 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||||
@@ -24,30 +24,36 @@
|
||||
|
||||
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
|
||||
<ind:object object_ref="obj_sshd_rekey_limit"/>
|
||||
+ <ind:state state_ref="state_sshd_rekey_limit"/>
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
|
||||
<ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
|
||||
- <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
{{%- if sshd_distributed_config == "true" %}}
|
||||
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
|
||||
<ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
|
||||
+ <ind:state state_ref="state_sshd_rekey_limit"/>
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
<ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
|
||||
<ind:path>{{{ sshd_config_dir}}}</ind:path>
|
||||
<ind:filename operation="pattern match">.*\.conf$</ind:filename>
|
||||
- <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
||||
+ <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
{{%- endif %}}
|
||||
|
||||
+ <ind:textfilecontent54_state id="state_sshd_rekey_limit" version="1">
|
||||
+ <ind:subexpression operation="pattern match" var_ref="sshd_line_regex" />
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
||||
<concat>
|
||||
- <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
|
||||
+ <literal_component>^</literal_component>
|
||||
<variable_component var_ref="var_rekey_limit_size"/>
|
||||
<literal_component>[\s]+</literal_component>
|
||||
<variable_component var_ref="var_rekey_limit_time"/>
|
||||
|
||||
From f5847d8362e7331fde049f3c56f6bb4f44fb18f1 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 10:39:45 +0100
|
||||
Subject: [PATCH 3/3] Add test for duplicated SSHD parameter
|
||||
|
||||
Ensure the rule still passes when a parameter is defined multiple times
|
||||
but have the same value.
|
||||
---
|
||||
.../tests/duplicated_param.pass.sh | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..2e0d8145abd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+SSHD_PARAM="RekeyLimit"
|
||||
+
|
||||
+mkdir -p /etc/ssh/sshd_config.d
|
||||
+touch /etc/ssh/sshd_config.d/nothing
|
||||
+
|
||||
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+
|
||||
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
|
||||
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
|
||||
+
|
@ -1,52 +0,0 @@
|
||||
From 93b9ab4f532710a8c063d7a71cbbeee26be2470b Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 8 Nov 2022 18:01:17 +0100
|
||||
Subject: [PATCH] Add test for param conflicts for SSH compression
|
||||
|
||||
---
|
||||
.../tests/param_conflict.fail.sh | 13 +++++++++++++
|
||||
.../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++
|
||||
2 files changed, 28 insertions(+)
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
|
||||
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..a631b3207bd
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+SSHD_PARAM="Compression"
|
||||
+
|
||||
+mkdir -p /etc/ssh/sshd_config.d
|
||||
+touch /etc/ssh/sshd_config.d/nothing
|
||||
+
|
||||
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+
|
||||
+echo "${SSHD_PARAM} no" >> /etc/ssh/sshd_config
|
||||
+echo "${SSHD_PARAM} yes" >> /etc/ssh/sshd_config
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..f1c15c139c7
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
|
||||
@@ -0,0 +1,15 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
||||
+
|
||||
+SSHD_PARAM="Compression"
|
||||
+
|
||||
+mkdir -p /etc/ssh/sshd_config.d
|
||||
+touch /etc/ssh/sshd_config.d/nothing
|
||||
+
|
||||
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||
+fi
|
||||
+
|
||||
+echo "${SSHD_PARAM} no" > /etc/ssh/sshd_config.d/good_config.conf
|
||||
+echo "${SSHD_PARAM} yes" > /etc/ssh/sshd_config.d/bad_config.conf
|
@ -1,202 +0,0 @@
|
||||
From c0320e5b1fc9257ef87956afc845fcbc579a080c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 15:16:32 +0100
|
||||
Subject: [PATCH 1/4] Add tests for sysctls in /usr/local/lib/sysctl.d
|
||||
|
||||
Sysctl options can also be defined in /usr/local/lib/sysctl.d/
|
||||
---
|
||||
.../tests/correct_value_usr_local_lib.pass.sh | 14 ++++++++++++++
|
||||
.../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 14 ++++++++++++++
|
||||
2 files changed, 28 insertions(+)
|
||||
create mode 100644 shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
|
||||
create mode 100644 shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
|
||||
|
||||
diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..3e366a9162f
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+{{% if SYSCTLVAL == "" %}}
|
||||
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
|
||||
+{{% endif %}}
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
|
||||
+mkdir /usr/local/lib/sysctl.d/
|
||||
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
|
||||
diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..fee34ea272f
|
||||
--- /dev/null
|
||||
+++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
|
||||
@@ -0,0 +1,14 @@
|
||||
+#!/bin/bash
|
||||
+{{% if SYSCTLVAL == "" %}}
|
||||
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
|
||||
+{{% endif %}}
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
|
||||
+mkdir /usr/local/lib/sysctl.d/
|
||||
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf
|
||||
+
|
||||
+# Setting correct runtime value
|
||||
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
|
||||
|
||||
From 81d45583b4ebd42302d9734447082afc97587ed8 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 15:19:15 +0100
|
||||
Subject: [PATCH 2/4] sysctl: Check /usr/local/lib/sysctl.d for configs
|
||||
|
||||
Update the template so that /usr/local/lib/sysctl.d is also checked for
|
||||
sysctl onfigurations.
|
||||
---
|
||||
shared/templates/sysctl/oval.template | 24 +++++++++++++++++++++++-
|
||||
1 file changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
||||
index bbe646274f6..3fe6de1c185 100644
|
||||
--- a/shared/templates/sysctl/oval.template
|
||||
+++ b/shared/templates/sysctl/oval.template
|
||||
@@ -138,6 +138,8 @@
|
||||
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
|
||||
test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
|
||||
{{% endif %}}
|
||||
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/local/lib/sysctl.d/*.conf"
|
||||
+ test_ref="test_{{{ rule_id }}}_static_usr_local_lib_sysctld"/>
|
||||
</criteria>
|
||||
{{% if target_oval_version >= [5, 11] %}}
|
||||
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />
|
||||
@@ -181,6 +183,13 @@
|
||||
</unix:symlink_state>
|
||||
{{% endif %}}
|
||||
|
||||
+ <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_local_lib_sysctld" version="1"
|
||||
+ check_existence="any_exist"
|
||||
+ check="all"
|
||||
+ comment="{{{ SYSCTLVAR }}} static configuration in /usr/local/lib/sysctl.d/*.conf" state_operator="OR">
|
||||
+ {{{ state_static_sysctld("usr_local_lib_sysctld") }}}
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
|
||||
<object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
|
||||
</local_variable>
|
||||
@@ -190,7 +199,7 @@
|
||||
<ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
|
||||
<set>
|
||||
<object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
|
||||
- <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
|
||||
+ <object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference>
|
||||
</set>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
@@ -201,6 +210,13 @@
|
||||
</set>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1">
|
||||
+ <set>
|
||||
+ <object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference>
|
||||
+ <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
|
||||
+ </set>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
|
||||
<set>
|
||||
<object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
|
||||
@@ -227,6 +243,12 @@
|
||||
{{{ sysctl_match() }}}
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
+ <ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_{{{ rule_id }}}" version="1">
|
||||
+ <ind:path>/usr/local/lib/sysctl.d</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
+ {{{ sysctl_match() }}}
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
|
||||
<ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
|
||||
<ind:path>/usr/lib/sysctl.d</ind:path>
|
||||
|
||||
From e863b901b4cca177a67dd11d40a5b4d9ce6deaba Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 15:35:17 +0100
|
||||
Subject: [PATCH 3/4] sysctl: Align Ansible and Bash remediations
|
||||
|
||||
The Ansible remediation for some products were not aligned with the Bash
|
||||
one.
|
||||
---
|
||||
shared/templates/sysctl/ansible.template | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
|
||||
index edc4d3fb667..d67cdd2068c 100644
|
||||
--- a/shared/templates/sysctl/ansible.template
|
||||
+++ b/shared/templates/sysctl/ansible.template
|
||||
@@ -9,12 +9,15 @@
|
||||
paths:
|
||||
- "/etc/sysctl.d/"
|
||||
- "/run/sysctl.d/"
|
||||
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
|
||||
+ - "/usr/lib/sysctl.d/"
|
||||
+{{% endif %}}
|
||||
contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
|
||||
patterns: "*.conf"
|
||||
file_type: any
|
||||
register: find_sysctl_d
|
||||
|
||||
-- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
||||
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files
|
||||
replace:
|
||||
path: "{{ item.path }}"
|
||||
regexp: '^[\s]*{{{ SYSCTLVAR }}}'
|
||||
|
||||
From 528715c89910afdfb0287b7f405d6849b5701ecb Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 15:36:59 +0100
|
||||
Subject: [PATCH 4/4] sysctl: remove settings in /usr/local/lib/sysctl.d
|
||||
|
||||
Also check for sysctl configs /usr/local/lib/sysctl.d for sysctl options
|
||||
and comment them out.
|
||||
---
|
||||
shared/templates/sysctl/ansible.template | 1 +
|
||||
shared/templates/sysctl/bash.template | 4 ++--
|
||||
2 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
|
||||
index d67cdd2068c..3ac5d072fcf 100644
|
||||
--- a/shared/templates/sysctl/ansible.template
|
||||
+++ b/shared/templates/sysctl/ansible.template
|
||||
@@ -9,6 +9,7 @@
|
||||
paths:
|
||||
- "/etc/sysctl.d/"
|
||||
- "/run/sysctl.d/"
|
||||
+ - "/usr/local/lib/sysctl.d/"
|
||||
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
|
||||
- "/usr/lib/sysctl.d/"
|
||||
{{% endif %}}
|
||||
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
|
||||
index 27935c33612..83f50a74a06 100644
|
||||
--- a/shared/templates/sysctl/bash.template
|
||||
+++ b/shared/templates/sysctl/bash.template
|
||||
@@ -6,9 +6,9 @@
|
||||
|
||||
# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
||||
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
|
||||
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
|
||||
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
|
||||
{{% else %}}
|
||||
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
|
||||
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
|
||||
{{% endif %}}
|
||||
matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
|
||||
if ! test -z "$matching_list"; then
|
File diff suppressed because one or more lines are too long
@ -1,83 +0,0 @@
|
||||
From fae75e8f00cf5de18c4c1813d94987e848f14233 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Thu, 24 Nov 2022 14:40:15 +0100
|
||||
Subject: [PATCH] Map selinux_user_login_roles to RHEL-08-040400
|
||||
|
||||
This STIG ID is a new addition in DISA RHEL8 STIG V1R8
|
||||
---
|
||||
.../guide/system/selinux/selinux_user_login_roles/rule.yml | 2 ++
|
||||
products/rhel8/profiles/stig.profile | 3 +++
|
||||
shared/references/cce-redhat-avail.txt | 1 -
|
||||
tests/data/profile_stability/rhel8/stig.profile | 1 +
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 1 +
|
||||
5 files changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
|
||||
index 053d4341bbd..d4c211c1062 100644
|
||||
--- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
|
||||
@@ -34,6 +34,7 @@ severity: medium
|
||||
|
||||
identifiers:
|
||||
cce@rhel7: CCE-80543-2
|
||||
+ cce@rhel8: CCE-86353-0
|
||||
|
||||
references:
|
||||
disa: CCI-002165,CCI-002235
|
||||
@@ -41,6 +42,7 @@ references:
|
||||
stigid@ol7: OL07-00-020020
|
||||
stigid@ol8: OL08-00-040400
|
||||
stigid@rhel7: RHEL-07-020020
|
||||
+ stigid@rhel8: RHEL-08-040400
|
||||
|
||||
ocil_clause: 'non-admin users are not confined correctly'
|
||||
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index d184957f28c..fe699f34beb 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -1207,5 +1207,8 @@ selections:
|
||||
# RHEL-08-040390
|
||||
- package_tuned_removed
|
||||
|
||||
+ # RHEL-08-040400
|
||||
+ - selinux_user_login_roles
|
||||
+
|
||||
# RHEL-08-010163
|
||||
- package_krb5-server_removed
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index d2fcd6421e1..9575ecac8c9 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -210,7 +210,6 @@ CCE-86343-1
|
||||
CCE-86347-2
|
||||
CCE-86351-4
|
||||
CCE-86352-2
|
||||
-CCE-86353-0
|
||||
CCE-86355-5
|
||||
CCE-86357-1
|
||||
CCE-86358-9
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 51971451996..6ddf29e7bfe 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -343,6 +343,7 @@ selections:
|
||||
- security_patches_up_to_date
|
||||
- selinux_policytype
|
||||
- selinux_state
|
||||
+- selinux_user_login_roles
|
||||
- service_auditd_enabled
|
||||
- service_autofs_disabled
|
||||
- service_debug-shell_disabled
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index fd150744167..fb8f5602dac 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -353,6 +353,7 @@ selections:
|
||||
- security_patches_up_to_date
|
||||
- selinux_policytype
|
||||
- selinux_state
|
||||
+- selinux_user_login_roles
|
||||
- service_auditd_enabled
|
||||
- service_autofs_disabled
|
||||
- service_debug-shell_disabled
|
@ -0,0 +1,106 @@
|
||||
From f9a787045807d22b0bca3d028f265cb6f87f681c Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 7 Feb 2023 10:53:18 +0100
|
||||
Subject: [PATCH 4/5] Change custom zones check in firewalld_sshd_port_enabled
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
||||
Patch-status: Change custom zones check in firewalld_sshd_port_enabled
|
||||
---
|
||||
.../oval/shared.xml | 68 +++++++++++++++----
|
||||
1 file changed, 54 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
index 4adef2e53f..d7c96665b4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
@@ -133,9 +133,10 @@
|
||||
OVAL resources in order to detect and assess only active zone, which are zones with at
|
||||
least one NIC assigned to it. Since it was possible to easily have the list of active
|
||||
zones, it was cumbersome to use that list in other OVAL objects without introduce a high
|
||||
- level of complexity to make sure environments with multiple NICs and multiple zones are
|
||||
- in use. So, in favor of simplicity and readbility it was decided to work with a static
|
||||
- list. It means that, in the future, it is possible this list needs to be updated. -->
|
||||
+ level of complexity to ensure proper assessment in environments where multiple NICs and
|
||||
+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to
|
||||
+ work with a static list. It means that, in the future, it is possible this list needs to
|
||||
+ be updated. -->
|
||||
<local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
|
||||
datatype="string"
|
||||
comment="Regex containing the list of zones files delivered in the firewalld package">
|
||||
@@ -145,23 +146,62 @@
|
||||
<!-- If any default zone is modified by the administrator, the respective zone file is placed
|
||||
in the /etc/firewalld/zones dir in order to override the default zone settings. The same
|
||||
directory is applicable for new zones created by the administrator. Therefore, all files
|
||||
- in this directory should also allow SSH. -->
|
||||
- <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
||||
+ in this directory should also allow SSH.
|
||||
+ This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
|
||||
+ which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
|
||||
+ variable test is the simplest way to check if all custom zones are allowing ssh, but have
|
||||
+ an impact in transparency since the objects are not shown in reports. The transparency
|
||||
+ impact can be workarounded by using other OVAL objects, but this would impact in
|
||||
+ readability and would increase complexity. This solution is in favor of simplicity. -->
|
||||
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
||||
check="all" check_existence="at_least_one_exists" version="1"
|
||||
comment="SSH service is defined in all zones created or modified by the administrator">
|
||||
- <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
- <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
- </ind:xmlfilecontent_test>
|
||||
+ <ind:object
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
|
||||
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
||||
+ </ind:variable_test>
|
||||
+
|
||||
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
||||
+ version="1">
|
||||
+ <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
||||
+ datatype="int" version="1"
|
||||
+ comment="Variable including number of custom zone files allowing ssh">
|
||||
+ <count>
|
||||
+ <object_component item_field="filepath"
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
|
||||
<ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
||||
- <ind:path>/etc/firewalld/zones</ind:path>
|
||||
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
||||
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
+ <ind:path>/etc/firewalld/zones</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
||||
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
</ind:xmlfilecontent_object>
|
||||
|
||||
- <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
||||
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
- </ind:xmlfilecontent_state>
|
||||
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
|
||||
+ version="1">
|
||||
+ <ind:value datatype="int" operation="equals" var_check="at least one"
|
||||
+ var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
||||
+ </ind:variable_state>
|
||||
+
|
||||
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
|
||||
+ datatype="int" version="1"
|
||||
+ comment="Variable including number of custom zone files present in /etc/firewalld/zones">
|
||||
+ <count>
|
||||
+ <object_component item_field="filepath"
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path>/etc/firewalld/zones</unix:path>
|
||||
+ <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
|
||||
+ </unix:file_object>
|
||||
|
||||
<!-- SSH service is configured as expected -->
|
||||
<!-- The firewalld package brings many services already defined out-of-box, including SSH.
|
||||
--
|
||||
2.39.1
|
||||
|
122
scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
Normal file
122
scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
Normal file
@ -0,0 +1,122 @@
|
||||
From a8236abf709c577152cb96876fcc27c8cf173e66 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 8 Feb 2023 14:42:32 +0100
|
||||
Subject: [PATCH 5/5] Accept required and requisite control flag for
|
||||
pam_pwhistory
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
||||
Patch-status: Accept required and requisite control flag for pam_pwhistory
|
||||
---
|
||||
controls/cis_rhel8.yml | 2 +-
|
||||
controls/cis_rhel9.yml | 2 +-
|
||||
controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml | 2 +-
|
||||
.../rule.yml | 4 ++++
|
||||
.../var_password_pam_remember_control_flag.var | 1 +
|
||||
products/rhel8/profiles/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
||||
8 files changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
||||
index c0406f97b8..efc53d03fd 100644
|
||||
--- a/controls/cis_rhel8.yml
|
||||
+++ b/controls/cis_rhel8.yml
|
||||
@@ -2267,7 +2267,7 @@ controls:
|
||||
rules:
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_password_pam_remember=5
|
||||
|
||||
- id: 5.5.4
|
||||
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
|
||||
index 7299a39528..30f7e8d182 100644
|
||||
--- a/controls/cis_rhel9.yml
|
||||
+++ b/controls/cis_rhel9.yml
|
||||
@@ -2112,7 +2112,7 @@ controls:
|
||||
rules:
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_password_pam_remember=5
|
||||
|
||||
- id: 5.5.4
|
||||
diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
index 1e8286a4a4..b02b7da419 100644
|
||||
--- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
+++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
@@ -5,7 +5,7 @@ controls:
|
||||
title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
|
||||
rules:
|
||||
- var_password_pam_remember=5
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
status: automated
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
index c549de2e96..d2b220ef9f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
@@ -129,3 +129,7 @@ warnings:
|
||||
Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
|
||||
enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
|
||||
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
|
||||
+ If a custom profile was created and used in the system before this authselect feature was
|
||||
+ available, the new feature can't be used with this custom profile and the
|
||||
+ remediation will fail. In this case, the custom profile should be recreated or manually
|
||||
+ updated.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
index 8f01007550..1959936c04 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
@@ -20,4 +20,5 @@ options:
|
||||
"sufficient": "sufficient"
|
||||
"binding": "binding"
|
||||
"ol8": "required,requisite"
|
||||
+ "requisite_or_required": "requisite,required"
|
||||
default: "requisite"
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 8c64868619..a3f7dc9720 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -37,7 +37,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 6970a32b4f..5d694c6ae1 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -433,7 +433,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
-- var_password_pam_remember_control_flag=requisite
|
||||
+- var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 314f14e4f6..e165525b90 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -441,7 +441,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
-- var_password_pam_remember_control_flag=requisite
|
||||
+- var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,147 @@
|
||||
From 775dec7b479f9fa900fa46d174b202efc14407fa Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 13 Feb 2023 11:14:40 +0100
|
||||
Subject: [PATCH 6/6] remove rule logind_session_timeout and associated
|
||||
variable from profiles
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
|
||||
Patch-status: remove rule logind_session_timeout and associated variable from profiles
|
||||
---
|
||||
controls/anssi.yml | 2 --
|
||||
products/rhel8/profiles/cjis.profile | 2 --
|
||||
products/rhel8/profiles/ospp.profile | 2 --
|
||||
products/rhel8/profiles/pci-dss.profile | 2 --
|
||||
products/rhel8/profiles/rht-ccp.profile | 2 --
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 --
|
||||
tests/data/profile_stability/rhel8/pci-dss.profile | 2 --
|
||||
7 files changed, 14 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 607ce976ef..9e631d1de4 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -676,8 +676,6 @@ controls:
|
||||
- var_accounts_tmout=10_min
|
||||
- sshd_set_idle_timeout
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- - logind_session_timeout
|
||||
- - var_logind_session_timeout=10_minutes
|
||||
- sshd_set_keepalive
|
||||
|
||||
- id: R30
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index f60b65bc06..18394802b9 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -104,7 +104,6 @@ selections:
|
||||
- sshd_allow_only_protocol2
|
||||
- sshd_set_idle_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- - logind_session_timeout
|
||||
- sshd_set_keepalive_0
|
||||
- disable_host_auth
|
||||
- sshd_disable_root_login
|
||||
@@ -120,7 +119,6 @@ selections:
|
||||
- set_firewalld_default_zone
|
||||
- firewalld_sshd_port_enabled
|
||||
- sshd_idle_timeout_value=30_minutes
|
||||
- - var_logind_session_timeout=30_minutes
|
||||
- inactivity_timeout_value=30_minutes
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_tcp_syncookies
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index 0fe17b2085..fb46ab4c0c 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -300,8 +300,6 @@ selections:
|
||||
## We deliberately set sshd timeout to 1 minute before tmux lock timeout
|
||||
- sshd_idle_timeout_value=14_minutes
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- - var_logind_session_timeout=14_minutes
|
||||
|
||||
## Disable Unauthenticated Login (such as Guest Accounts)
|
||||
## FIA_UAU.1
|
||||
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
|
||||
index c63c5f4a07..c0c9b12773 100644
|
||||
--- a/products/rhel8/profiles/pci-dss.profile
|
||||
+++ b/products/rhel8/profiles/pci-dss.profile
|
||||
@@ -17,7 +17,6 @@ selections:
|
||||
- var_accounts_passwords_pam_faillock_deny=6
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=1800
|
||||
- sshd_idle_timeout_value=15_minutes
|
||||
- - var_logind_session_timeout=15_minutes
|
||||
- var_password_pam_minlen=7
|
||||
- var_password_pam_minclass=2
|
||||
- var_accounts_maximum_age_login_defs=90
|
||||
@@ -110,7 +109,6 @@ selections:
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dconf_gnome_screensaver_mode_blank
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- sshd_set_keepalive_0
|
||||
- accounts_password_pam_minlen
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index 0a00d2f46b..775727e885 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -12,7 +12,6 @@ selections:
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- sshd_idle_timeout_value=5_minutes
|
||||
- - var_logind_session_timeout=5_minutes
|
||||
- var_accounts_minimum_age_login_defs=7
|
||||
- var_accounts_passwords_pam_faillock_deny=5
|
||||
- var_accounts_password_warn_age_login_defs=7
|
||||
@@ -89,7 +88,6 @@ selections:
|
||||
- package_telnet_removed
|
||||
- sshd_allow_only_protocol2
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- sshd_set_keepalive_0
|
||||
- disable_host_auth
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index a31f3245d8..267b66a4f8 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -104,7 +104,6 @@ selections:
|
||||
- kernel_module_firewire-core_disabled
|
||||
- kernel_module_sctp_disabled
|
||||
- kernel_module_tipc_disabled
|
||||
-- logind_session_timeout
|
||||
- mount_option_boot_nodev
|
||||
- mount_option_boot_nosuid
|
||||
- mount_option_dev_shm_nodev
|
||||
@@ -254,7 +253,6 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- sshd_idle_timeout_value=14_minutes
|
||||
-- var_logind_session_timeout=14_minutes
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=never
|
||||
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
index 5c77ea6a85..902d0084fc 100644
|
||||
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
@@ -109,7 +109,6 @@ selections:
|
||||
- gid_passwd_group_same
|
||||
- grub2_audit_argument
|
||||
- install_hids
|
||||
-- logind_session_timeout
|
||||
- no_empty_passwords
|
||||
- package_aide_installed
|
||||
- package_audispd-plugins_installed
|
||||
@@ -137,7 +136,6 @@ selections:
|
||||
- var_accounts_passwords_pam_faillock_deny=6
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=1800
|
||||
- sshd_idle_timeout_value=15_minutes
|
||||
-- var_logind_session_timeout=15_minutes
|
||||
- var_password_pam_minlen=7
|
||||
- var_password_pam_minclass=2
|
||||
- var_accounts_maximum_age_login_defs=90
|
||||
--
|
||||
2.39.1
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -5,8 +5,8 @@
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.63
|
||||
Release: 5%{?dist}
|
||||
Version: 0.1.66
|
||||
Release: 2%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
@ -14,45 +14,21 @@ URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Include tarball with last released rhel6 content
|
||||
Source1: %{_static_rhel6_content}.tar.bz2
|
||||
# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
# Rsyslog files rules remediations
|
||||
Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
|
||||
# Extends rsyslog_logfiles_attributes_modify template for permissions
|
||||
Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
|
||||
# Change custom zones check in firewalld_sshd_port_enabled
|
||||
Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
||||
# Accept required and requisite control flag for pam_pwhistory
|
||||
Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
||||
# remove rule logind_session_timeout and associated variable from profiles
|
||||
Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
Patch1: scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
|
||||
Patch2: scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
|
||||
Patch3: scap-security-guide-0.1.64-stig_aide-PR_9282.patch
|
||||
Patch4: scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
|
||||
Patch5: scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
|
||||
Patch6: scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
|
||||
Patch7: scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
|
||||
Patch8: scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
|
||||
Patch9: scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
|
||||
Patch10: scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
|
||||
Patch11: scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
|
||||
Patch12: scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
|
||||
Patch13: scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
|
||||
Patch14: scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
|
||||
Patch15: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
|
||||
Patch16: scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
|
||||
Patch17: scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch
|
||||
Patch18: scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch
|
||||
Patch19: scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch
|
||||
Patch20: scap-security-guide-0.1.65-stig_rhel8_ClientAliveCountMax-PR_9784.patch
|
||||
Patch21: scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch
|
||||
Patch22: scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch
|
||||
Patch23: scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch
|
||||
Patch24: scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch
|
||||
Patch25: scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch
|
||||
Patch26: scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch
|
||||
Patch27: scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch
|
||||
Patch28: scap-security-guide-0.1.66-map_stig_rhel_08_040400-PR_9878.patch
|
||||
Patch29: scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch
|
||||
Patch30: scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch
|
||||
Patch31: scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch
|
||||
Patch32: scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch
|
||||
Patch33: scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
@ -156,6 +132,22 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
|
||||
- Unselect rule logind_session_timeout (RHBZ#2158404)
|
||||
|
||||
* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
|
||||
- Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
|
||||
- Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
|
||||
- Fix levels of CIS rules (RHBZ#2162803)
|
||||
- Remove unused RHEL8 STIG control file (RHBZ#2156192)
|
||||
- Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
|
||||
- Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
|
||||
- Add rule for audit immutable login uids (RHBZ#2151553)
|
||||
- Fix remediation of audit watch rules (RHBZ#2119356)
|
||||
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
|
||||
- Fix applicability of kerberos rules (RHBZ#2099394)
|
||||
- Add support rainer scripts in rsyslog rules (RHBZ#2072444)
|
||||
|
||||
* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
|
||||
- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
|
||||
- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)
|
||||
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2) = c12b1210a7829578d2b32c22950a9f93913ae4981efb31304aea04d43791eb86c75bb5cdc4ceb35741bcb00306db44a5734a03bd0578f1d255917d590e840260
|
||||
SHA512 (scap-security-guide-0.1.63.tar.bz2) = ad2f7f873af22b0bc2916d8487f6d5621c65495c4c84a0a4e8c98969d5edd2a0833e956b32c19c893e1852b15adc65af24bb4fea7db71b3042c5e1b512a3957b
|
||||
SHA512 (scap-security-guide-0.1.66.tar.bz2) = 1eee044d7d160c6f271db9a2d5262de2a577e03e103fe697e341000c34bf5208037fc88e9f4d7bfdb0b04a46660c4244a7cba214a4fe949f94e3358b12f15cc3
|
||||
|
Loading…
Reference in New Issue
Block a user