diff --git a/SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch b/SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch new file mode 100644 index 0000000..ac3b3a6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch @@ -0,0 +1,227 @@ +From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Thu, 21 Jul 2022 16:42:41 +0200 +Subject: [PATCH 1/3] Add platforms for partition existence + +--- + shared/applicability/general.yml | 14 +++++++++++++ + .../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++ + .../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++ + shared/macros/10-ansible.jinja | 5 +++++ + shared/macros/10-bash.jinja | 5 +++++ + shared/macros/10-oval.jinja | 21 +++++++++++++++++++ + 6 files changed, 65 insertions(+) + create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml + create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml + +diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml +index 2d23d753148..e2f5d04ce00 100644 +--- a/shared/applicability/general.yml ++++ b/shared/applicability/general.yml +@@ -77,6 +77,20 @@ cpes: + bash_conditional: {{{ bash_pkg_conditional("pam") }}} + ansible_conditional: {{{ ansible_pkg_conditional("pam") }}} + ++ - partition-var-tmp: ++ name: "cpe:/a:partition-var-tmp" ++ title: "There is a /var/tmp partition" ++ check_id: installed_env_mounts_var_tmp ++ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}} ++ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}} ++ ++ - partition-tmp: ++ name: "cpe:/a:partition-tmp" ++ title: "There is a /tmp partition" ++ check_id: installed_env_mounts_tmp ++ bash_conditional: {{{ bash_partition_conditional("/tmp") }}} ++ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}} ++ + - polkit: + name: "cpe:/a:polkit" + title: "Package polkit is installed" +diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml +new file mode 100644 +index 00000000000..c1bcd6b2431 +--- /dev/null ++++ b/shared/checks/oval/installed_env_mounts_tmp.xml +@@ -0,0 +1,10 @@ ++ ++ ++ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}} ++ ++ {{{ partition_exists_criterion("/tmp") }}} ++ ++ ++ ++ {{{ partition_exists_tos("/tmp") }}} ++ +diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml +new file mode 100644 +index 00000000000..a72f49c8a8f +--- /dev/null ++++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml +@@ -0,0 +1,10 @@ ++ ++ ++ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}} ++ ++ {{{ partition_exists_criterion("/var/tmp") }}} ++ ++ ++ ++ {{{ partition_exists_tos("/var/tmp") }}} ++ +diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja +index 2d24f730d3f..478f0072bc7 100644 +--- a/shared/macros/10-ansible.jinja ++++ b/shared/macros/10-ansible.jinja +@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template. + when: + - result_pam_file_present.stat.exists + {{%- endmacro -%}} ++ ++ ++{{%- macro ansible_partition_conditional(path) -%}} ++"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" ++{{%- endmacro -%}} +diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja +index 94c3c6f9570..6a7fb165fd2 100644 +--- a/shared/macros/10-bash.jinja ++++ b/shared/macros/10-bash.jinja +@@ -2085,3 +2085,8 @@ else + echo "{{{ pam_file }}} was not found" >&2 + fi + {{%- endmacro -%}} ++ ++ ++{{%- macro bash_partition_conditional(path) -%}} ++'findmnt --mountpoint "{{{ path }}}" > /dev/null' ++{{%- endmacro -%}} +diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja +index c8d7bbeffb7..1ec93b6ef7d 100644 +--- a/shared/macros/10-oval.jinja ++++ b/shared/macros/10-oval.jinja +@@ -926,3 +926,24 @@ Generates the :code:`` tag for OVAL check using correct product platfo + {{%- else %}} + {{%- set user_list="nobody" %}} + {{%- endif %}} ++ ++ ++{{%- macro partition_exists_criterion(path) %}} ++{{%- set escaped_path = path | replace("/", "_") %}} ++ ++{{%- endmacro %}} ++ ++{{%- macro partition_exists_tos(path) %}} ++{{%- set escaped_path = path | replace("/", "_") %}} ++ ++ ++ {{#- #}} ++ ++ ++ ++ {{{ path }}} ++ ++{{%- endmacro %}} + +From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Thu, 21 Jul 2022 16:43:21 +0200 +Subject: [PATCH 2/3] Use partition exist platforms on a real rule + +--- + .../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++- + .../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +index 8ee8c8b12e0..741d0973283 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +@@ -38,7 +38,8 @@ references: + stigid@ol8: OL08-00-040132 + stigid@rhel8: RHEL-08-040132 + +-platform: machine ++platforms: ++ - machine and partition-var-tmp + + template: + name: mount_option +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh +new file mode 100644 +index 00000000000..241c0103d82 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++. $SHARED/partition.sh ++ ++clean_up_partition /var/tmp # Remove the partition from the system, and unmount it + +From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 10 Aug 2022 11:32:38 +0200 +Subject: [PATCH 3/3] Improve code style + +- Improve description of OVAL macro +- Use the escape_id filter to produce IDs +--- + shared/checks/oval/installed_env_mounts_tmp.xml | 2 +- + shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +- + shared/macros/10-oval.jinja | 7 +++---- + 3 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml +index c1bcd6b2431..edd8ad050f5 100644 +--- a/shared/checks/oval/installed_env_mounts_tmp.xml ++++ b/shared/checks/oval/installed_env_mounts_tmp.xml +@@ -6,5 +6,5 @@ + + + +- {{{ partition_exists_tos("/tmp") }}} ++ {{{ partition_exists_test_object("/tmp") }}} + +diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml +index a72f49c8a8f..cf9aafbdb04 100644 +--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml ++++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml +@@ -6,5 +6,5 @@ + + + +- {{{ partition_exists_tos("/var/tmp") }}} ++ {{{ partition_exists_test_object("/var/tmp") }}} + +diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja +index 1ec93b6ef7d..f302091f7df 100644 +--- a/shared/macros/10-oval.jinja ++++ b/shared/macros/10-oval.jinja +@@ -929,18 +929,17 @@ Generates the :code:`` tag for OVAL check using correct product platfo + + + {{%- macro partition_exists_criterion(path) %}} +-{{%- set escaped_path = path | replace("/", "_") %}} ++{{%- set escaped_path = path | escape_id %}} + + {{%- endmacro %}} + +-{{%- macro partition_exists_tos(path) %}} +-{{%- set escaped_path = path | replace("/", "_") %}} ++{{%- macro partition_exists_test_object(path) %}} ++{{%- set escaped_path = path | escape_id %}} + + +- {{#- #}} + + + diff --git a/SOURCES/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch b/SOURCES/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch new file mode 100644 index 0000000..1d5854e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch @@ -0,0 +1,92 @@ +From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Wed, 10 Aug 2022 13:35:50 +0200 +Subject: [PATCH] Add the platform applicability to relevant rules + +--- + .../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +- + .../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +- + .../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +- + .../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +- + .../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- + .../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +index 45a73e0286a..79a19a8d30b 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +@@ -45,7 +45,7 @@ references: + stigid@ol8: OL08-00-040123 + stigid@rhel8: RHEL-08-040123 + +-platform: machine ++platform: machine and partition-tmp + + template: + name: mount_option +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +index 7356183bab3..d3f6d6175e5 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +@@ -44,7 +44,7 @@ references: + stigid@ol8: OL08-00-040125 + stigid@rhel8: RHEL-08-040125 + +-platform: machine ++platform: machine and partition-tmp + + template: + name: mount_option +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +index d153b86934f..10790dc95a7 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +@@ -45,7 +45,7 @@ references: + stigid@ol8: OL08-00-040124 + stigid@rhel8: RHEL-08-040124 + +-platform: machine ++platform: machine and partition-tmp + + template: + name: mount_option +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml +index 133e7727ca7..05992df4b49 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml +@@ -31,7 +31,7 @@ references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 + nist-csf: PR.IP-1,PR.PT-3 + +-platform: machine ++platform: machine and partition-var-tmp + + template: + name: mount_option +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +index 39fd458ec6b..dc00b2f2376 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +@@ -38,7 +38,7 @@ references: + stigid@ol8: OL08-00-040134 + stigid@rhel8: RHEL-08-040134 + +-platform: machine ++platform: machine and partition-var-tmp + + template: + name: mount_option +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +index 349f3348955..f0c26b6d9c5 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +@@ -38,7 +38,7 @@ references: + stigid@ol8: OL08-00-040133 + stigid@rhel8: RHEL-08-040133 + +-platform: machine ++platform: machine and partition-var-tmp + + template: + name: mount_option diff --git a/SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch b/SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch new file mode 100644 index 0000000..8da44fd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch @@ -0,0 +1,48 @@ +From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 15 Aug 2022 13:14:58 +0200 +Subject: [PATCH 1/2] Access the mounts via ansible_mounts + +It seems that the data about ansible_mounts should be accessed without +the 'ansible_facts' prefix. +--- + shared/macros/10-ansible.jinja | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja +index 478f0072bc7..e8bff0973f5 100644 +--- a/shared/macros/10-ansible.jinja ++++ b/shared/macros/10-ansible.jinja +@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template. + + + {{%- macro ansible_partition_conditional(path) -%}} +-"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" ++"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" + {{%- endmacro -%}} + +From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 15 Aug 2022 13:16:24 +0200 +Subject: [PATCH 2/2] Avoid use of json_query and additional dependency + +The json_query filter requires package jmespath to be installed. + +This also avoids mismatchs in python version between ansible and +python3-jmespath. Some distros (RHEL8) don't have jmespath module +available for the same python version ansible is using. +--- + shared/macros/10-ansible.jinja | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja +index e8bff0973f5..beb2bc11403 100644 +--- a/shared/macros/10-ansible.jinja ++++ b/shared/macros/10-ansible.jinja +@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template. + + + {{%- macro ansible_partition_conditional(path) -%}} +-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" ++'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list' + {{%- endmacro -%}} diff --git a/SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch b/SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch new file mode 100644 index 0000000..dd18148 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch @@ -0,0 +1,107 @@ +From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 5 Aug 2022 12:45:24 +0200 +Subject: [PATCH] Fix rule sudo_custom_logfile + +- Allow only white space after the Default keyword to avoid + matching words that only start with Default. +- If the variable value contains slashes they need to be escaped + because the sed command uses slashes as a separator, otherwise + the sed doesn't replace the wrong line during a remediation. + +Also adds 2 test scenarios. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109 +--- + .../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +- + .../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++ + .../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++ + shared/templates/sudo_defaults_option/ansible.template | 2 +- + shared/templates/sudo_defaults_option/bash.template | 5 +++-- + shared/templates/sudo_defaults_option/oval.template | 2 +- + 6 files changed, 14 insertions(+), 5 deletions(-) + create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh + create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh + +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +index 739f5f14936..94fbaaa33ed 100644 +--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo' + + ocil: |- + To determine if logfile has been configured for sudo, run the following command: +-
$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
++
$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
+ The command should return a matching output. + + template: +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh +new file mode 100644 +index 00000000000..13ff4559edb +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh +new file mode 100644 +index 00000000000..ec24854f0f9 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers +diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template +index 094fa430b64..c9e344ec772 100644 +--- a/shared/templates/sudo_defaults_option/ansible.template ++++ b/shared/templates/sudo_defaults_option/ansible.template +@@ -8,7 +8,7 @@ + - name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers + lineinfile: + path: /etc/sudoers +- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$' ++ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$' + line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2' + validate: /usr/sbin/visudo -cf %s + backrefs: yes +diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template +index e3563d42db6..e7d962a668d 100644 +--- a/shared/templates/sudo_defaults_option/bash.template ++++ b/shared/templates/sudo_defaults_option/bash.template +@@ -9,7 +9,7 @@ + {{% endif %}} + if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak +- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then ++ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option {{{ OPTION }}} + echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers + {{%- if not VARIABLE_NAME %}} +@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then + {{% if '/' in OPTION %}} + {{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}} + {{% endif %}} +- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers ++ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}} ++ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers + fi + fi + {{% endif %}} +diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template +index c0d81c95093..a9636a7204a 100644 +--- a/shared/templates/sudo_defaults_option/oval.template ++++ b/shared/templates/sudo_defaults_option/oval.template +@@ -13,7 +13,7 @@ + + + ^/etc/sudoers(|\.d/.*)$ +- ^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$ ++ ^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$ + 1 + + diff --git a/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch b/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch new file mode 100644 index 0000000..9c0ff1e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch @@ -0,0 +1,967 @@ +From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Wed, 13 Apr 2022 20:06:18 +0800 +Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard + +This patch fixes the issue that the array is expanded to wildcard path instead of its elements. +A simple test case as follows: + + /etc/rsyslog.conf + include(file="/etc/rsyslog.d/*.conf" mode="optional") + + /etc/rsyslog.d/custom1.conf + local1.* /tmp/local1.out + + /etc/rsyslog.d/custom2.conf + local2.* /tmp/local2.out +--- + .../rsyslog_files_permissions/bash/shared.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index b794ea8db31..02b0c36d899 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -5,8 +5,8 @@ + RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" + # * And also the log file paths listed after rsyslog's $IncludeConfig directive + # (store the result into array for the case there's shell glob used as value of IncludeConfig) +-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) ++readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)) + + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + +From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Thu, 14 Apr 2022 15:58:04 +0800 +Subject: [PATCH 02/15] A better fix. + + * Should also fixed the CI failure. +--- + .../rsyslog_files_permissions/bash/shared.sh | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 02b0c36d899..1aebb8f9da5 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -5,8 +5,10 @@ + RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" + # * And also the log file paths listed after rsyslog's $IncludeConfig directive + # (store the result into array for the case there's shell glob used as value of IncludeConfig) +-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) +-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)) ++readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) ++readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) ++readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) + + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + +From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Fri, 15 Apr 2022 10:47:37 +0800 +Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog + +--- + .../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++ + .../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++ + 2 files changed, 113 insertions(+) + create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh + create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +new file mode 100755 +index 00000000000..7cb09128d78 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +@@ -0,0 +1,56 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Check rsyslog.conf with log file permissions 0600 from rules and ++# log file permissions 0600 from $IncludeConfig passes. ++ ++source $SHARED/rsyslog_log_utils.sh ++ ++PERMS=0600 ++ ++# setup test data ++create_rsyslog_test_logs 3 ++ ++# setup test log files and permissions ++chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} ++chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} ++chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} ++ ++# create test configuration file ++conf_subdir=${RSYSLOG_TEST_DIR}/subdir ++mkdir ${conf_subdir} ++test_subdir_conf=${conf_subdir}/test_subdir.conf ++test_conf=${RSYSLOG_TEST_DIR}/test.conf ++cat << EOF > ${test_subdir_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[2]} ++EOF ++ ++cat << EOF > ${test_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[1]} ++EOF ++ ++# create rsyslog.conf configuration file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++ ++include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") ++include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") ++ ++\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf ++\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf ++ ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +new file mode 100755 +index 00000000000..942eaf086a1 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -0,0 +1,57 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++ ++# Check rsyslog.conf with log file permissions 0600 from rules and ++# log file permissions 0601 from $IncludeConfig fails. ++ ++source $SHARED/rsyslog_log_utils.sh ++ ++PERMS_PASS=0600 ++PERMS_FAIL=0601 ++ ++# setup test data ++create_rsyslog_test_logs 3 ++ ++# setup test log files and permissions ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} ++ ++# create test configuration file ++conf_subdir=${RSYSLOG_TEST_DIR}/subdir ++mkdir ${conf_subdir} ++test_subdir_conf=${conf_subdir}/test_subdir.conf ++test_conf=${RSYSLOG_TEST_DIR}/test.conf ++cat << EOF > ${test_subdir_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[2]} ++EOF ++ ++cat << EOF > ${test_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[1]} ++EOF ++ ++# create rsyslog.conf configuration file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++ ++include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") ++include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") ++ ++\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf ++\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf ++ ++EOF + +From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Thu, 19 May 2022 01:22:19 +0800 +Subject: [PATCH 04/15] The way using 'find' can be retired. + +--- + .../rsyslog_files_permissions/bash/shared.sh | 20 +++++-------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 1aebb8f9da5..cece5930ee8 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + +-RSYSLOG_CONFIGS=() +-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") ++declare -a RSYSLOG_CONFIGS ++RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") + +-# Get full list of files to be checked +-# RSYSLOG_CONFIGS may contain globs such as +-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule +-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. +-RSYSLOG_FILES=() +-for ENTRY in "${RSYSLOG_CONFIGS[@]}" +-do +- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")") +- RSYSLOG_FILES+=("${FINDOUT[@]}") +-done +- +-# Check file and fix if needed. +-for LOG_FILE in "${RSYSLOG_FILES[@]}" ++# Browse each file selected above as containing paths of log files ++# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) ++for LOG_FILE in "${RSYSLOG_CONFIGS[@]}" + do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + +From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Fri, 20 May 2022 01:30:37 +0800 +Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/' + +--- + .../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index cece5930ee8..50d36d7426f 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + ++# Array to hold all rsyslog config entries + declare -a RSYSLOG_CONFIGS + RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") + ++# Array to hold all rsyslog config files ++declare -a RSYSLOG_CONFIG_FILES ++for ENTRY in "${RSYSLOG_CONFIGS[@]}" ++do ++ # If directory, need to include files recursively ++ if [ -d "${ENTRY}" ] ++ then ++ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf') ++ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") ++ elif [ -f "${ENTRY}" ] ++ then ++ RSYSLOG_CONFIG_FILES+=("${ENTRY}") ++ else ++ echo "Invalid include object: ${ENTRY}" ++ fi ++done ++ + # Browse each file selected above as containing paths of log files + # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) +-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}" ++for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" + do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + +From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Fri, 20 May 2022 01:46:33 +0800 +Subject: [PATCH 06/15] Update test files. + +--- + .../tests/include_config_syntax_perms_0600.pass.sh | 2 ++ + .../tests/include_config_syntax_perms_0601.fail.sh | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +index 7cb09128d78..2ddd9fcb697 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF + + include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") + include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") ++include(file="${RSYSLOG_TEST_DIR}" mode="optional") + + \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf + \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf ++\$IncludeConfig ${RSYSLOG_TEST_DIR} + + EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +index 942eaf086a1..73ff3332c6d 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF + + include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") + include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") ++include(file="${RSYSLOG_TEST_DIR}" mode="optional") + + \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf + \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf ++\$IncludeConfig ${RSYSLOG_TEST_DIR} + + EOF + +From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Fri, 20 May 2022 10:03:32 +0800 +Subject: [PATCH 07/15] Rsyslog says we should include all files + +--- + .../rsyslog_files_permissions/bash/shared.sh | 2 +- + .../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++- + .../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++- + 3 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 50d36d7426f..cd5014105e9 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -24,7 +24,7 @@ do + # If directory, need to include files recursively + if [ -d "${ENTRY}" ] + then +- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf') ++ readarray -t FINDOUT < <(find "${ENTRY}" -type f) + RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") + elif [ -f "${ENTRY}" ] + then +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +index 2ddd9fcb697..755865ca522 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh + PERMS=0600 + + # setup test data +-create_rsyslog_test_logs 3 ++create_rsyslog_test_logs 4 + + # setup test log files and permissions + chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} ++chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} + + # create test configuration file + conf_subdir=${RSYSLOG_TEST_DIR}/subdir + mkdir ${conf_subdir} + test_subdir_conf=${conf_subdir}/test_subdir.conf + test_conf=${RSYSLOG_TEST_DIR}/test.conf ++test_bak=${RSYSLOG_TEST_DIR}/test.bak ++ + cat << EOF > ${test_subdir_conf} + # rsyslog configuration file ++# test_subdir_conf + + #### RULES #### + +@@ -31,12 +35,22 @@ EOF + + cat << EOF > ${test_conf} + # rsyslog configuration file ++# test_conf + + #### RULES #### + + *.* ${RSYSLOG_TEST_LOGS[1]} + EOF + ++cat << EOF > ${test_bak} ++# rsyslog configuration file ++# test_bak ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[3]} ++EOF ++ + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +index 73ff3332c6d..063b1a0cbe5 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -10,20 +10,24 @@ PERMS_PASS=0600 + PERMS_FAIL=0601 + + # setup test data +-create_rsyslog_test_logs 3 ++create_rsyslog_test_logs 4 + + # setup test log files and permissions + chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} + + # create test configuration file + conf_subdir=${RSYSLOG_TEST_DIR}/subdir + mkdir ${conf_subdir} + test_subdir_conf=${conf_subdir}/test_subdir.conf + test_conf=${RSYSLOG_TEST_DIR}/test.conf ++test_bak=${RSYSLOG_TEST_DIR}/test.bak ++ + cat << EOF > ${test_subdir_conf} + # rsyslog configuration file ++# test_subdir_conf + + #### RULES #### + +@@ -32,12 +36,22 @@ EOF + + cat << EOF > ${test_conf} + # rsyslog configuration file ++# test_conf + + #### RULES #### + + *.* ${RSYSLOG_TEST_LOGS[1]} + EOF + ++cat << EOF > ${test_bak} ++# rsyslog configuration file ++# test_bak ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[3]} ++EOF ++ + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + +From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Sat, 21 May 2022 16:02:26 +0800 +Subject: [PATCH 08/15] Match glob() function of rsyslog + +--- + .../rsyslog_files_permissions/bash/shared.sh | 5 ++- + .../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++------- + .../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++------- + 3 files changed, 55 insertions(+), 28 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index cd5014105e9..38105bf086b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS + declare -a RSYSLOG_CONFIG_FILES + for ENTRY in "${RSYSLOG_CONFIGS[@]}" + do +- # If directory, need to include files recursively ++ # If directory, rsyslog will search for config files in recursively. ++ # However, files in hidden sub-directories or hidden files will be ignored. + if [ -d "${ENTRY}" ] + then +- readarray -t FINDOUT < <(find "${ENTRY}" -type f) ++ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) + RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") + elif [ -f "${ENTRY}" ] + then +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +index 755865ca522..a5a2f67fadc 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh + PERMS=0600 + + # setup test data +-create_rsyslog_test_logs 4 ++create_rsyslog_test_logs 5 + + # setup test log files and permissions + chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} + chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} ++chmod $PERMS ${RSYSLOG_TEST_LOGS[4]} + +-# create test configuration file ++# create test configuration files + conf_subdir=${RSYSLOG_TEST_DIR}/subdir ++conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir + mkdir ${conf_subdir} +-test_subdir_conf=${conf_subdir}/test_subdir.conf +-test_conf=${RSYSLOG_TEST_DIR}/test.conf +-test_bak=${RSYSLOG_TEST_DIR}/test.bak ++mkdir ${conf_hiddir} + +-cat << EOF > ${test_subdir_conf} ++test_conf_in_subdir=${conf_subdir}/in_subdir.conf ++test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak ++ ++test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf ++test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf ++ ++cat << EOF > ${test_conf_in_subdir} + # rsyslog configuration file +-# test_subdir_conf + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++*.* ${RSYSLOG_TEST_LOGS[1]} + EOF + +-cat << EOF > ${test_conf} ++cat << EOF > ${test_conf_name_bak} + # rsyslog configuration file +-# test_conf + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[1]} ++*.* ${RSYSLOG_TEST_LOGS[2]} + EOF + +-cat << EOF > ${test_bak} ++cat << EOF > ${test_conf_in_hiddir} + # rsyslog configuration file +-# test_bak ++# not used + + #### RULES #### + + *.* ${RSYSLOG_TEST_LOGS[3]} + EOF + ++cat << EOF > ${test_conf_dot_name} ++# rsyslog configuration file ++# not used ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[4]} ++EOF ++ + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +index 063b1a0cbe5..a9d0adfb727 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -10,48 +10,61 @@ PERMS_PASS=0600 + PERMS_FAIL=0601 + + # setup test data +-create_rsyslog_test_logs 4 ++create_rsyslog_test_logs 5 + + # setup test log files and permissions + chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} + chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]} + +-# create test configuration file ++# create test configuration files + conf_subdir=${RSYSLOG_TEST_DIR}/subdir ++conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir + mkdir ${conf_subdir} +-test_subdir_conf=${conf_subdir}/test_subdir.conf +-test_conf=${RSYSLOG_TEST_DIR}/test.conf +-test_bak=${RSYSLOG_TEST_DIR}/test.bak ++mkdir ${conf_hiddir} + +-cat << EOF > ${test_subdir_conf} ++test_conf_in_subdir=${conf_subdir}/in_subdir.conf ++test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak ++ ++test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf ++test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf ++ ++cat << EOF > ${test_conf_in_subdir} + # rsyslog configuration file +-# test_subdir_conf + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++*.* ${RSYSLOG_TEST_LOGS[1]} + EOF + +-cat << EOF > ${test_conf} ++cat << EOF > ${test_conf_name_bak} + # rsyslog configuration file +-# test_conf + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[1]} ++*.* ${RSYSLOG_TEST_LOGS[2]} + EOF + +-cat << EOF > ${test_bak} ++cat << EOF > ${test_conf_in_hiddir} + # rsyslog configuration file +-# test_bak ++# not used + + #### RULES #### + + *.* ${RSYSLOG_TEST_LOGS[3]} + EOF + ++cat << EOF > ${test_conf_dot_name} ++# rsyslog configuration file ++# not used ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[4]} ++EOF ++ + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + +From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Sun, 22 May 2022 21:10:16 +0800 +Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code + +--- + .../rsyslog_files_permissions/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 38105bf086b..e1129e34c81 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -54,7 +54,7 @@ do + then + NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") + LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") +- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}") ++ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}") + CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") + MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") + # Since above sed command might return more than one item (delimited by newline), split the particular + +From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001 +From: Flos Lonicerae +Date: Tue, 24 May 2022 00:42:17 +0800 +Subject: [PATCH 10/15] Added platform. + +--- + .../tests/include_config_syntax_perms_0601.fail.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +index a9d0adfb727..fe4db0a3c91 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + + # Check rsyslog.conf with log file permissions 0600 from rules and + # log file permissions 0601 from $IncludeConfig fails. + +From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 13:56:39 +0200 +Subject: [PATCH 11/15] Reset the arrays before using them + +When bash remediations for a profile are generated, it can happen that a +variable with same name is used for multiple remediations. +So let's reset the array before using it. +--- + .../rsyslog_files_permissions/bash/shared.sh | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index e1129e34c81..d1856ffbe7b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf + declare -a LOG_FILE_PATHS + + # Array to hold all rsyslog config entries +-declare -a RSYSLOG_CONFIGS +-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") ++RSYSLOG_CONFIGS=() ++RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") + +-# Array to hold all rsyslog config files +-declare -a RSYSLOG_CONFIG_FILES ++# Get full list of files to be checked ++# RSYSLOG_CONFIGS may contain globs such as ++# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule ++# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. ++RSYSLOG_CONFIG_FILES=() + for ENTRY in "${RSYSLOG_CONFIGS[@]}" + do + # If directory, rsyslog will search for config files in recursively. + +From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 14:55:37 +0200 +Subject: [PATCH 12/15] Don't parse hidden config files for Includes + +Let's follow rsyslog behavior and not capture process hidden config +files for includes. +--- + .../rsyslog_files_permissions/oval/shared.xml | 9 ++++ + ...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++ + 2 files changed, 62 insertions(+) + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +index a04e6fd8900..d13177216c3 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +@@ -17,8 +17,17 @@ + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 ++ state_permissions_ignore_hidden_paths + + ++ ++ ++ ^.*\/\..*$ ++ ++ + + + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh +new file mode 100644 +index 00000000000..9b0185c6b2f +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh +@@ -0,0 +1,53 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 ++ ++# Check rsyslog.conf with log file permisssions 0600 from rules and ++# log file permissions 0601 from include() fails. ++ ++source $SHARED/rsyslog_log_utils.sh ++ ++PERMS_PASS=0600 ++PERMS_FAIL=0601 ++ ++# setup test data ++create_rsyslog_test_logs 3 ++ ++# setup test log files and permissions ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} ++ ++# create test configuration file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[1]} ++EOF ++ ++# create hidden test2 configuration file ++test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf ++cat << EOF > ${test_conf2} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[2]} ++EOF ++ ++# create rsyslog.conf configuration file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++ ++include(file="${test_conf}") ++ ++\$IncludeConfig ${test_conf2} ++EOF + +From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 15:49:11 +0200 +Subject: [PATCH 13/15] Add test for for missing rsyslog included files + +The rsyslog conf file may include other config files. +If the included missing files are missing rsyslog will generate an +error, but will still continue working. +https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file + +There is not a good way of ensuring that all files defined in a list of paths exist. +--- + ...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++ + 1 file changed, 45 insertions(+) + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh +new file mode 100644 +index 00000000000..b929f2a94ab +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh +@@ -0,0 +1,45 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 ++ ++# Check rsyslog.conf with log file permisssions 0600 from rules and ++# log file permissions 0601 from include() fails. ++ ++source $SHARED/rsyslog_log_utils.sh ++ ++PERMS_PASS=0600 ++PERMS_FAIL=0601 ++ ++# setup test data ++create_rsyslog_test_logs 3 ++ ++# setup test log files and permissions ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} ++chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} ++chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} ++ ++# create test configuration file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[1]} ++EOF ++ ++# Skip creation test2 configuration file ++ ++# create rsyslog.conf configuration file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++ ++include(file="${test_conf}") ++ ++\$IncludeConfig ${test_conf2} ++EOF + +From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 21:47:18 +0200 +Subject: [PATCH 14/15] Align Ansible remediation with Bash + +The remediation now expands the glob expressions and doesn't collect +hidden files or directories to check for their permissions. +--- + .../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +index 635b72f7352..c558bf46c71 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +@@ -19,19 +19,26 @@ + shell: | + set -o pipefail + grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true +- register: include_config_output ++ register: rsyslog_old_inc + changed_when: False + + - name: "Get include files directives" + shell: | + set -o pipefail + grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true +- register: include_files_output ++ register: rsyslog_new_inc + changed_when: False + ++- name: "Expand glob expressions" ++ shell: | ++ set -o pipefail ++ eval printf '%s\\n' {{ item }} ++ register: include_config_output ++ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}" ++ + - name: "List all config files" +- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")" +- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}" ++ shell: find {{ item }} -not -path "*/.*" -type f ++ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}" + register: rsyslog_config_files + changed_when: False + + +From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Aug 2022 21:56:05 +0200 +Subject: [PATCH 15/15] Ignore invalid or non existing include objects + +Let's not fail the task when the find doesn't find the include object. +When the include is a glob expression that doesn't evaluate to any file +the glob itself is used in find command. + +The Bash remediation prints a message for each include that is not a +file is not a directory or doesn't exist. +--- + .../rsyslog_files_permissions/ansible/shared.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +index c558bf46c71..3a9380cf13b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +@@ -40,6 +40,7 @@ + shell: find {{ item }} -not -path "*/.*" -type f + loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}" + register: rsyslog_config_files ++ failed_when: False + changed_when: False + + - name: "Extract log files" diff --git a/SOURCES/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch b/SOURCES/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch new file mode 100644 index 0000000..2ac4abd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch @@ -0,0 +1,90 @@ +From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:15 +0200 +Subject: [PATCH 1/4] fix ospp references + +--- + linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml +index c151d3c4aa1..f9b46c51ddd 100644 +--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml ++++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml +@@ -34,6 +34,7 @@ references: + disa: CCI-000213 + hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth + nist: AC-3 ++ ospp: FIA_UAU.1,FIA_AFL.1 + srg: SRG-OS-000480-GPOS-00227 + + ocil: |- + +From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:42 +0200 +Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp + +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index b47630c62b0..dcc41970043 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -115,7 +115,7 @@ selections: + - coredump_disable_storage + - coredump_disable_backtraces + - service_systemd-coredump_disabled +- - var_authselect_profile=sssd ++ - var_authselect_profile=minimal + - enable_authselect + - use_pam_wheel_for_su + + +From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:54 +0200 +Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp + +--- + products/rhel8/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile +index 39ad1797c7a..ebec8a3a6f9 100644 +--- a/products/rhel8/profiles/ospp.profile ++++ b/products/rhel8/profiles/ospp.profile +@@ -220,7 +220,7 @@ selections: + - var_accounts_max_concurrent_login_sessions=10 + - accounts_max_concurrent_login_sessions + - securetty_root_login_console_only +- - var_authselect_profile=sssd ++ - var_authselect_profile=minimal + - enable_authselect + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember + +From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 13:55:05 +0200 +Subject: [PATCH 4/4] update profile stability test + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 5d73a8c6fef..21e93e310d5 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -242,7 +242,7 @@ selections: + - var_slub_debug_options=P + - var_auditd_flush=incremental_async + - var_accounts_max_concurrent_login_sessions=10 +-- var_authselect_profile=sssd ++- var_authselect_profile=minimal + - var_password_pam_unix_remember=5 + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted diff --git a/SOURCES/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch b/SOURCES/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch new file mode 100644 index 0000000..74d6823 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch @@ -0,0 +1,50 @@ +From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 10 Aug 2022 09:59:57 +0200 +Subject: [PATCH] switch rule grub2_disable_interactive_boot for + grub2_disable_recovery in rhel8 ospp + +--- + .../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 + + products/rhel8/profiles/ospp.profile | 2 +- + tests/data/profile_stability/rhel8/ospp.profile | 2 +- + 4 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml +index 4f8d4ddcfde..fb126cbe7d8 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml +@@ -17,6 +17,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel8: CCE-86006-4 + cce@rhel9: CCE-85986-8 + + references: +diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile +index ebec8a3a6f9..6e3b30f64bb 100644 +--- a/products/rhel8/profiles/ospp.profile ++++ b/products/rhel8/profiles/ospp.profile +@@ -304,7 +304,7 @@ selections: + ## Disable Unauthenticated Login (such as Guest Accounts) + ## FIA_UAU.1 + - require_singleuser_auth +- - grub2_disable_interactive_boot ++ - grub2_disable_recovery + - grub2_uefi_password + - no_empty_passwords + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 21e93e310d5..267b66a4f89 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -89,7 +89,7 @@ selections: + - ensure_redhat_gpgkey_installed + - grub2_audit_argument + - grub2_audit_backlog_limit_argument +-- grub2_disable_interactive_boot ++- grub2_disable_recovery + - grub2_kernel_trust_cpu_rng + - grub2_page_poison_argument + - grub2_pti_argument diff --git a/SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch b/SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch new file mode 100644 index 0000000..68471b6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch @@ -0,0 +1,97 @@ +From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Aug 2022 15:01:42 +0200 +Subject: [PATCH] Add rsyslogd to the list of tools check by aide + +RHEL products will also check for integrity of /usr/sbin/rsyslogd. +--- + .../aide/aide_check_audit_tools/ansible/shared.yml | 1 + + .../aide/aide_check_audit_tools/bash/shared.sh | 3 +-- + .../aide/aide_check_audit_tools/oval/shared.xml | 2 +- + .../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +- + .../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +- + .../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +index 9d1b7b675c9..5905ea8d0e6 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +@@ -22,6 +22,7 @@ + - /usr/sbin/aureport + - /usr/sbin/ausearch + - /usr/sbin/autrace ++ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}} + + - name: Ensure existing AIDE configuration for audit tools are correct + lineinfile: +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +index d0a1ba2522f..a81e25c3950 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +@@ -18,12 +18,11 @@ + {{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}} + {{% endif %}} + +-{{% if product == 'ol8' %}} ++{{% if product == 'ol8' or 'rhel' in product %}} + {{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}} + {{% endif %}} + + {{% for file in auditfiles %}} +- + if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then + sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}} + else +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml +index 6ce56c1137a..ca9bf4f94d0 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml +@@ -11,7 +11,7 @@ + {{% if 'rhel' not in product and product != 'ol8' %}} + + {{% endif %}} +- {{% if product == 'ol8' %}} ++ {{% if product == 'ol8' or 'rhel' in product %}} + + {{% endif %}} + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +index 756b88d8a23..071dde13295 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +@@ -7,7 +7,7 @@ aide --init + + + declare -a bins +-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') ++bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') + + for theFile in "${bins[@]}" + do +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +index f3a2a126d3d..cb9bbfa7350 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +@@ -4,7 +4,7 @@ + yum -y install aide + + declare -a bins +-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') ++bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') + + for theFile in "${bins[@]}" + do +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +index 4315cef2073..a22aecb0000 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +@@ -6,7 +6,7 @@ yum -y install aide + aide --init + + declare -a bins +-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') ++bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') + + for theFile in "${bins[@]}" + do diff --git a/SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch b/SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch new file mode 100644 index 0000000..7c0a252 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch @@ -0,0 +1,4490 @@ +From 0addbba742ef5470e911d391eb738e9da79ce7b7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 14:43:21 +0200 +Subject: [PATCH 1/3] Update DISA RHEL8 STIG manual benchmark to V1R7 + +--- + ... => disa-stig-rhel8-v1r7-xccdf-manual.xml} | 437 ++++++++++-------- + 1 file changed, 233 insertions(+), 204 deletions(-) + rename shared/references/{disa-stig-rhel8-v1r6-xccdf-manual.xml => disa-stig-rhel8-v1r7-xccdf-manual.xml} (96%) + +diff --git a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml +similarity index 96% +rename from shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml +rename to shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml +index 849ab06f66d..a02819d3002 100644 +--- a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml ++++ b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml +@@ -1,4 +1,4 @@ +-acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Apr 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + + Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. + +@@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf + + localpkg_gpgcheck =True + +-If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. ++If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. + + Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. + +@@ -867,7 +867,7 @@ kernel.kexec_load_disabled = 1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: + + Check the status of the kernel.kexec_load_disabled kernel parameter. + +@@ -885,7 +885,7 @@ $ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sy + + If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. ++If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +@@ -907,7 +907,7 @@ fs.protected_symlinks = 1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: + + Check the status of the fs.protected_symlinks kernel parameter. + +@@ -925,7 +925,7 @@ $ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl. + + If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. ++If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + + When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. + +@@ -947,7 +947,7 @@ fs.protected_hardlinks = 1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: + + Check the status of the fs.protected_hardlinks kernel parameter. + +@@ -965,7 +965,7 @@ $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl + + If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. ++If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +@@ -987,7 +987,7 @@ kernel.dmesg_restrict = 1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: + + Check the status of the kernel.dmesg_restrict kernel parameter. + +@@ -1005,7 +1005,7 @@ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl. + + If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. ++If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. + + This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. + +@@ -1027,7 +1027,7 @@ kernel.perf_event_paranoid = 2 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: ++$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: + + Check the status of the kernel.perf_event_paranoid kernel parameter. + +@@ -1045,15 +1045,25 @@ $ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sy + + If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. ++If conflicting results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. + + When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. + +-Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". ++Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Configure the operating system to require users to supply a password for privilege escalation. ++ ++Check the configuration of the "/etc/sudoers" file with the following command: ++$ sudo visudo ++ ++Remove any occurrences of "NOPASSWD" tags in the file. ++ ++Check the configuration of the /etc/sudoers.d/* files with the following command: ++$ sudo grep -ir nopasswd /etc/sudoers.d ++ ++Remove any occurrences of "NOPASSWD" tags in the file.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". + + Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command: + +-$ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/* ++$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d + + %admin ALL=(ALL) NOPASSWD: ALL + +@@ -1222,7 +1232,7 @@ $ sudo grep slub_debug /etc/default/grub + + GRUB_CMDLINE_LINUX="slub_debug=P" + +-If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. ++If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + + Examples of attacks are buffer overflow attacks. + +@@ -1240,7 +1250,7 @@ kernel.randomize_va_space=2 + + Issue the following command to make the changes take effect: + +-$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: ++$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: + + $ sudo sysctl kernel.randomize_va_space + +@@ -1256,7 +1266,7 @@ $ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sys + + If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. ++If conflicting results are returned, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. + + Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file: + +@@ -1590,7 +1600,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS) + + If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). + +-If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -1606,7 +1616,7 @@ kernel.core_pattern = |/bin/false + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: + + $ sudo sysctl kernel.core_pattern + +@@ -1622,24 +1632,26 @@ $ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/ + + If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +- +-A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. +- +-When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the systemd-coredump.socket with the following command: +- +-$ sudo systemctl mask systemd-coredump.socket +- +-Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null +- +-Reload the daemon for this change to take effect. +- +-$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++ ++A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. ++ ++When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the systemd-coredump.socket with the following commands: ++ ++$ sudo systemctl disable --now systemd-coredump.socket ++ ++$ sudo systemctl mask systemd-coredump.socket ++ ++Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null ++ ++Reload the daemon for this change to take effect. ++ ++$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: + + $ sudo systemctl status systemd-coredump.socket + + systemd-coredump.socket +-Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) ++Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) + Active: inactive (dead) + + If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010673RHEL 8 must disable core dumps for all users.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -2347,40 +2359,40 @@ $ sudo grep -i lock-command /etc/tmux.conf + + set -g lock-command vlock + +-If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. ++If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + +-Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. ++Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. + +-Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: ++Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: + +-If [ "$PS1" ]; then ++if [ "$PS1" ]; then ++parent=$(ps -o ppid= -p $$) ++name=$(ps -o comm= -p $parent) ++case "$name" in (sshd|login) exec tmux ;; esac ++fi ++ ++This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: ++ ++Determine if tmux is currently running: ++$ sudo ps all | grep tmux | grep -v grep ++ ++If the command does not produce output, this is a finding. ++ ++Determine the location of the tmux script: ++$ sudo grep -r tmux /etc/bashrc /etc/profile.d ++ ++/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac ++ ++Review the tmux script by using the following example: ++$ sudo cat /etc/profile.d/tmux.sh ++if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in (sshd|login) exec tmux ;; esac + fi + +-This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: +- +-Determine if tmux is currently running: +-$ sudo ps all | grep tmux | grep -v grep +- +-If the command does not produce output, this is a finding. +- +-Determine the location of the tmux script: +-$ sudo grep tmux /etc/bashrc/etc/profile.d/* +- +-/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac +- +-Review the tmux script by using the following example: +-$ sudo cat /etc/profile.d/tmux.sh +-If [ "$PS1" ]; then +-parent=$(ps -o ppid= -p $$) +-name=$(ps -o comm= -p $parent) +-case "$name" in (sshd|login) exec tmux ;; esac +-fi +- + If "tmux" is not configured as the example above, is commented out, or is missing, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020042RHEL 8 must prevent users from disabling session control mechanisms.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. +@@ -2540,7 +2552,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality + + password required pam_pwquality.so + +-If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +@@ -2548,13 +2560,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th + + Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): + +-ucredit = -1Verify the value for "ucredit" in "/etc/security/pwquality.conf" with the following command: ++ucredit = -1Verify the value for "ucredit" with the following command: + +-$ sudo grep ucredit /etc/security/pwquality.conf ++$ sudo grep -r ucredit /etc/security/pwquality.conf* + +-ucredit = -1 ++/etc/security/pwquality.conf:ucredit = -1 + +-If the value of "ucredit" is a positive number or is commented out, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-08-020120RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If the value of "ucredit" is a positive number or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-08-020120RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +@@ -2562,13 +2575,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th + + Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): + +-lcredit = -1Verify the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: ++lcredit = -1Verify the value for "lcredit" with the following command: + +-$ sudo grep lcredit /etc/security/pwquality.conf ++$ sudo grep -r lcredit /etc/security/pwquality.conf* + +-lcredit = -1 ++/etc/security/pwquality.conf:lcredit = -1 + +-If the value of "lcredit" is a positive number or is commented out, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-08-020130RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If the value of "lcredit" is a positive number or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-08-020130RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +@@ -2576,13 +2590,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note + + Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): + +-dcredit = -1Verify the value for "dcredit" in "/etc/security/pwquality.conf" with the following command: ++dcredit = -1Verify the value for "dcredit" with the following command: + +-$ sudo grep dcredit /etc/security/pwquality.conf ++$ sudo grep -r dcredit /etc/security/pwquality.conf* + +-dcredit = -1 ++/etc/security/pwquality.conf:dcredit = -1 + +-If the value of "dcredit" is a positive number or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If the value of "dcredit" is a positive number or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +@@ -2590,13 +2605,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " + + Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): + +-maxclassrepeat = 4Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: ++maxclassrepeat = 4Check for the value of the "maxclassrepeat" option with the following command: + +-$ sudo grep maxclassrepeat /etc/security/pwquality.conf ++$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf* + +-maxclassrepeat = 4 ++/etc/security/pwquality.conf:maxclassrepeat = 4 + +-If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +@@ -2604,13 +2620,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " + + Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): + +-maxrepeat = 3Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: ++maxrepeat = 3Check for the value of the "maxrepeat" option with the following command: + +-$ sudo grep maxrepeat /etc/security/pwquality.conf ++$ sudo grep -r maxrepeat /etc/security/pwquality.conf* + +-maxrepeat = 3 ++/etc/security/pwquality.conf:maxrepeat = 3 + +-If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020160RHEL 8 must require the change of at least four character classes when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020160RHEL 8 must require the change of at least four character classes when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +@@ -2618,12 +2635,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " + + Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): + +-minclass = 4Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: ++minclass = 4Verify the value of the "minclass" option with the following command: ++ ++$ sudo grep -r minclass /etc/security/pwquality.conf* + +-$ sudo grep minclass /etc/security/pwquality.conf +-minclass = 4 ++/etc/security/pwquality.conf:minclass = 4 + +-If the value of "minclass" is set to less than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020170RHEL 8 must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If the value of "minclass" is set to less than "4" or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020170RHEL 8 must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +@@ -2631,13 +2650,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " + + Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): + +-difok = 8Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: ++difok = 8Verify the value of the "difok" option with the following command: + +-$ sudo grep difok /etc/security/pwquality.conf ++$ sudo grep -r difok /etc/security/pwquality.conf* + +-difok = 8 ++/etc/security/pwquality.conf:difok = 8 + +-If the value of "difok" is set to less than "8" or is commented out, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-08-020180RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: ++If the value of "difok" is set to less than "8" or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-08-020180RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: + + $ sudo chage -m 1 [user]Check whether the minimum time period between password changes for each user account is one day or greater. + +@@ -2689,7 +2709,7 @@ $ sudo grep -i remember /etc/pam.d/password-auth + + password required pam_pwhistory.so use_authtok remember=5 retry=3 + +-If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. ++If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +@@ -2701,14 +2721,16 @@ The DoD minimum password requirement is 15 characters.</VulnDiscussion>< + + Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): + +-minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. ++minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. + +-Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: ++Check for the value of the "minlen" option with the following command: + +-$ sudo grep minlen /etc/security/pwquality.conf +-minlen = 15 ++$ sudo grep -r minlen /etc/security/pwquality.conf* + +-If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020231RHEL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. ++/etc/security/pwquality.conf:minlen = 15 ++ ++If the command does not return a "minlen" value of 15 or greater, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020231RHEL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. + +@@ -2804,7 +2826,7 @@ For every existing emergency account, run the following command to obtain its ac + $ sudo chage -l system_account_name + + Verify each of these accounts has an expiration date set within 72 hours. +-If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + +@@ -2812,13 +2834,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note + + Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): + +-ocredit = -1Verify the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: ++ocredit = -1Verify the value for "ocredit" with the following command: + +-$ sudo grep ocredit /etc/security/pwquality.conf ++$ sudo grep -r ocredit /etc/security/pwquality.conf* + +-ocredit = -1 ++/etc/security/pwquality.conf:ocredit = -1 + +-If the value of "ocredit" is a positive number or is commented out, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>RHEL-08-020290RHEL 8 must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. ++If the value of "ocredit" is a positive number or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>RHEL-08-020290RHEL 8 must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. + + RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002007Configure the SSSD to prohibit the use of cached authentications after one day. + +@@ -2842,19 +2865,20 @@ $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf + + offline_credentials_expiration = 1 + +-If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>RHEL-08-020300RHEL 8 must prevent the use of dictionary words for passwords.<VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent the use of dictionary words for passwords. ++If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>RHEL-08-020300RHEL 8 must prevent the use of dictionary words for passwords.<VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent the use of dictionary words for passwords. + + Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: + +-dictcheck=1Verify RHEL 8 prevents the use of dictionary words for passwords. ++dictcheck=1Verify RHEL 8 prevents the use of dictionary words for passwords. + +-Determine if the field "dictcheck" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: ++Determine if the field "dictcheck" is set with the following command: + +-$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf ++$ sudo grep -r dictcheck /etc/security/pwquality.conf* + +-dictcheck=1 ++/etc/security/pwquality.conf:dictcheck=1 + +-If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-08-020310RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. ++If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-08-020310RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. + + Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. + +@@ -4281,7 +4305,7 @@ root /sbin/auditd + root /sbin/rsyslogd + root /sbin/augenrules + +-If any of the audit tools are not group-owned by "root", this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>RHEL-08-030650RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. ++If any of the audit tools are not group-owned by "root", this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>RHEL-08-030650RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. + + Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + +@@ -4296,13 +4320,13 @@ To address this risk, audit tools must be cryptographically signed to provide th + /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 +-/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. ++/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. + + If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. + + Check the selection lines to ensure AIDE is configured to add/check with the following command: + +-$ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf ++$ sudo egrep '(\/usr\/sbin\/(audit|au|rsys))' /etc/aide.conf + + /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +@@ -4312,7 +4336,7 @@ $ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf + /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + +-If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. ++If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. + + The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001849Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. + +@@ -4951,17 +4975,25 @@ p2p-dev-wlp7s0 wifi-p2p disconnected -- + lo loopback unmanaged -- + virbr0-nic tun unmanaged -- + +-If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000300-GPOS-00118<GroupDescription></GroupDescription>RHEL-08-040111RHEL 8 Bluetooth must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. ++If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000300-GPOS-00118<GroupDescription></GroupDescription>RHEL-08-040111RHEL 8 Bluetooth must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. + + This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. + +-Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001443Configure the operating system to disable the Bluetooth adapter when not in use. ++Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001443Configure the operating system to disable the Bluetooth adapter when not in use. + + Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: + + install bluetooth /bin/true + +-Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. ++Disable the ability to use the Bluetooth kernel module. ++ ++$ sudo vi /etc/modprobe.d/blacklist.conf ++ ++Add or update the line: ++ ++blacklist bluetooth ++ ++Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. + + This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision. + +@@ -4971,7 +5003,15 @@ $ sudo grep bluetooth /etc/modprobe.d/* + + /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/true + +-If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. ++If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding. ++ ++Verify the operating system disables the ability to use Bluetooth with the following command: ++ ++$ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#" ++ ++blacklist bluetooth ++ ++If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. + + The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +@@ -5361,15 +5401,17 @@ $ sudo grep -i RekeyLimit /etc/ssh/sshd_config + + RekeyLimit 1G 1h + +-If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command: +- +-$ sudo systemctl mask ctrl-alt-del.target +- +-Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null +- +-Reload the daemon for this change to take effect. +- +-$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: ++If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: ++ ++$ sudo systemctl disable ctrl-alt-del.target ++ ++$ sudo systemctl mask ctrl-alt-del.target ++ ++Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null ++ ++Reload the daemon for this change to take effect. ++ ++$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: + + $ sudo systemctl status ctrl-alt-del.target + +@@ -5438,7 +5480,7 @@ If the account is associated with system commands or applications, the UID shoul + + $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd + +-If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5454,7 +5496,7 @@ net.ipv6.conf.default.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. ++$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5474,7 +5516,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/ + + If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. + +@@ -5492,9 +5534,7 @@ net.ipv4.conf.all.send_redirects=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. +- +-Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. + + Check the value of the "all send_redirects" variables with the following command: + +@@ -5512,7 +5552,7 @@ $ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/ + + If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +@@ -5529,9 +5569,7 @@ net.ipv4.icmp_echo_ignore_broadcasts=1 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. +- +-Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. + + Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: + +@@ -5549,7 +5587,7 @@ $ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/lo + + If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5565,7 +5603,7 @@ net.ipv6.conf.all.accept_source_route=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. ++$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5585,7 +5623,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l + + If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5601,7 +5639,7 @@ net.ipv6.conf.default.accept_source_route=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. ++$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5621,7 +5659,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /u + + If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5637,7 +5675,7 @@ net.ipv6.conf.all.forwarding=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. ++$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5657,7 +5695,7 @@ $ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/ + + If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + + An illicit router advertisement message could result in a man-in-the-middle attack. + +@@ -5675,7 +5713,7 @@ net.ipv6.conf.all.accept_ra=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. ++$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. + + Note: If IPv6 is disabled on the system, this requirement is not applicable. + +@@ -5695,7 +5733,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/s + + If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + + An illicit router advertisement message could result in a man-in-the-middle attack. + +@@ -5713,7 +5751,7 @@ net.ipv6.conf.default.accept_ra=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. ++$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. + + Note: If IPv6 is disabled on the system, this requirement is not applicable. + +@@ -5733,7 +5771,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/l + + If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. + + There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. + +@@ -5751,9 +5789,7 @@ net.ipv4.conf.default.send_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. +- +-Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. + + Check the value of the "default send_redirects" variables with the following command: + +@@ -5771,7 +5807,7 @@ $ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/lo + + If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5787,7 +5823,7 @@ net.ipv6.conf.all.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. ++$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. + + Note: If IPv6 is disabled on the system, this requirement is Not Applicable. + +@@ -5807,7 +5843,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca + + If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5821,7 +5857,7 @@ kernel.unprivileged_bpf_disabled = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: + + $ sudo sysctl kernel.unprivileged_bpf_disabled + +@@ -5837,7 +5873,7 @@ $ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/ + + If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5851,7 +5887,7 @@ kernel.yama.ptrace_scope = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: + + $ sudo sysctl kernel.yama.ptrace_scope + +@@ -5867,7 +5903,7 @@ $ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysc + + If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5881,13 +5917,13 @@ kernel.kptr_restrict = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: + + $ sudo sysctl kernel.kptr_restrict + + kernel.kptr_restrict = 1 + +-If the returned line does not have a value of "1", or a line is not returned, this is a finding. ++If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. + + Check that the configuration files are present to enable this network parameter. + +@@ -5895,9 +5931,9 @@ $ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d + + /etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1 + +-If "kernel.kptr_restrict" is not set to "1", is missing or commented out, this is a finding. ++If "kernel.kptr_restrict" is not set to "1" or "2", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5913,7 +5949,7 @@ user.max_user_namespaces = 0 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: + + Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. + +@@ -5931,7 +5967,7 @@ $ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysc + + If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -5945,13 +5981,13 @@ net.ipv4.conf.all.rp_filter = 1 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: + + $ sudo sysctl net.ipv4.conf.all.rp_filter + + net.ipv4.conf.all.rp_filter = 1 + +-If the returned line does not have a value of "1", or a line is not returned, this is a finding. ++If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. + + Check that the configuration files are present to enable this network parameter. + +@@ -5959,9 +5995,9 @@ $ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/s + + /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1 + +-If "net.ipv4.conf.all.rp_filter" is not set to "1", is missing or commented out, this is a finding. ++If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: + + $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. + +@@ -6155,23 +6191,22 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* + + If the either of the following entries are returned, this is a finding: + ALL ALL=(ALL) ALL +-ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. ++ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. + For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: + Defaults !targetpw + Defaults !rootpw +-Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. ++Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. + +-$ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' ++$ sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' + + /etc/sudoers:Defaults !targetpw + /etc/sudoers:Defaults !rootpw + /etc/sudoers:Defaults !runaspw + +-If no results are returned, this is a finding. +-If results are returned from more than one file location, this is a finding. ++If conflicting results are returned, this is a finding. + If "Defaults !targetpw" is not defined, this is a finding. + If "Defaults !rootpw" is not defined, this is a finding. +-If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. ++If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + + When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. + +@@ -6181,12 +6216,12 @@ $ sudo visudo + + Add or modify the following line: + Defaults timestamp_timeout=[value] +-Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. ++Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. + +-$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* ++$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d + /etc/sudoers:Defaults timestamp_timeout=0 + +-If results are returned from more than one file location, this is a finding. ++If conflicting results are returned, this is a finding. + + If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010049RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +@@ -6735,7 +6770,7 @@ $ sudo yum list installed openssh-server + + openssh-server.x86_64 8.0p1-5.el8 @anaconda + +-If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -6751,9 +6786,7 @@ net.ipv4.conf.default.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. +- +-Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. + + Check the value of the default "accept_redirects" variables with the following command: + +@@ -6771,7 +6804,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/ + + If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -6787,9 +6820,7 @@ net.ipv4.conf.all.accept_source_route=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. +- +-Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. + + Check the value of the accept source route variable with the following command: + +@@ -6807,7 +6838,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l + + If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -6823,9 +6854,7 @@ net.ipv4.conf.default.accept_source_route=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. +- +-Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. + + Check the value of the accept source route variable with the following command: + +@@ -6843,7 +6872,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /u + + If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -6859,9 +6888,7 @@ net.ipv4.conf.all.accept_redirects = 0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. +- +-Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. + + Check the value of the "accept_redirects" variables with the following command: + +@@ -6879,7 +6906,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca + + If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. + +@@ -6895,7 +6922,7 @@ net.core.bpf_jit_harden = 2 + + The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: + +-$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: ++$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: + + $ sudo sysctl net.core.bpf_jit_harden + +@@ -6911,7 +6938,7 @@ $ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysct + + If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. ++If conflicting results are returned, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. + + Procedure: + Check that the following package has been installed: +@@ -6985,7 +7012,7 @@ $ sudo ls -Zd /var/log/faillock + + unconfined_u:object_r:faillog_t:s0 /var/log/faillock + +-If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. ++If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. + + The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + /etc/sysctl.d/*.conf +@@ -7001,15 +7028,13 @@ net.ipv4.conf.all.forwarding=0 + + Load settings from all system configuration files with the following command: + +-$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. +- +-Note: If IPv4 is disabled on the system, this requirement is Not Applicable. ++$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. + + Check that IPv4 forwarding is disabled using the following command: + +-$ sudo sysctl net.ipv4.ip_forward ++$ sudo sysctl net.ipv4.conf.all.forwarding + +-net.ipv4.ip_forward = 0 ++net.ipv4.conf.all.forwarding = 0 + If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. + + Check that the configuration files are present to enable this network parameter. +@@ -7020,7 +7045,7 @@ $ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/ + + If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. + +-If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: ++If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: + + Perform a password reset: + $ sudo passwd [username] +@@ -7071,8 +7096,8 @@ aide-0.16-14.el8.x86_64 + + If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. + +-If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. +- ++If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. ++ + It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. + + Edit the /etc/sudoers file with the following command: +@@ -7080,7 +7105,9 @@ Edit the /etc/sudoers file with the following command: + $ sudo visudo + + Add or modify the following line: +-#includedir /etc/sudoers.dVerify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: ++#includedir /etc/sudoers.dNote: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. ++ ++Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: + + $ sudo grep include /etc/sudoers + +@@ -7090,7 +7117,7 @@ If the results are not "/etc/sudoers.d" or additional files or directories are s + + Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: + +-$ sudo grep include /etc/sudoers.d/* ++$ sudo grep -r include /etc/sudoers.d + + If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010385The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + +@@ -7163,7 +7190,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality + + password required pam_pwquality.so retry=3 + +-If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. ++If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. + + RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: + /etc/pam.d/password-auth +@@ -7172,18 +7199,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi + + Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value): + +-retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. ++retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. + + Verify the operating system is configured to limit the "pwquality" retry option to 3. + + Check for the use of the "pwquality" retry option with the following command: + +-$ sudo grep retry /etc/security/pwquality.conf ++$ sudo grep -r retry /etc/security/pwquality.conf* + +-retry = 3 ++/etc/security/pwquality.conf:retry = 3 + + If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding. + ++If conflicting results are returned, this is a finding. ++ + Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command: + + $ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth + +From feea7690b848d68c150712c841c74703b70e1a02 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 14:46:19 +0200 +Subject: [PATCH 2/3] Update DISA STIG RHEL8 SCAP content to V1R6 + +The V1R6 SCAP content is aligned with the V1R7 manual benchmark. +--- + ...ml => disa-stig-rhel8-v1r6-xccdf-scap.xml} | 945 ++++++++++-------- + 1 file changed, 539 insertions(+), 406 deletions(-) + rename shared/references/{disa-stig-rhel8-v1r5-xccdf-scap.xml => disa-stig-rhel8-v1r6-xccdf-scap.xml} (96%) + +diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml +similarity index 96% +rename from shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml +rename to shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml +index 1bd2fb7b659..e87b16eb377 100644 +--- a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml ++++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml +@@ -1,36 +1,36 @@ + +- +- ++ ++ + +- ++ + +- ++ + + + + +- ++ + +- ++ + + + + +- +- ++ ++ + + +- ++ + + + Red Hat Enterprise Linux 8 +- oval:mil.disa.stig.rhel8:def:1 ++ oval:mil.disa.stig.rhel8:def:1 + + + +- ++ + +- accepted ++ accepted + Red Hat Enterprise Linux 8 Security Technical Implementation Guide + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + +@@ -40,11 +40,11 @@ + DISA + STIG.DOD.MIL + +- Release: 1.5 Benchmark Date: 27 Apr 2022 ++ Release: 1.6 Benchmark Date: 27 Jul 2022 + 3.3.0.27375 + 1.10.0 + +- 001.005 ++ 001.006 + + DISA + DISA +@@ -2189,15 +2189,15 @@ + + + +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ + + +- ++ + + + +@@ -2217,7 +2217,7 @@ + + + +- ++ + + + +@@ -2237,26 +2237,26 @@ + + + +- ++ + + +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ + + + + + +- ++ + + +- +- ++ ++ + + + +@@ -2337,7 +2337,7 @@ + + + +- ++ + + + +@@ -2355,21 +2355,21 @@ + + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -2379,9 +2379,9 @@ + + + +- +- +- ++ ++ ++ + + + SRG-OS-000480-GPOS-00227 +@@ -2403,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L + Upgrade to a supported version of RHEL 8. + + +- ++ + + + +@@ -2439,7 +2439,7 @@ $ sudo fips-mode-setup --enable + Reboot the system for the changes to take effect. + + +- ++ + + + +@@ -2469,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M + ENCRYPT_METHOD SHA512 + + +- ++ + + + +@@ -2493,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth + Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. + + +- ++ + + + +@@ -2521,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ + SHA_CRYPT_MIN_ROUNDS 5000 + + +- ++ + + + +@@ -2549,7 +2549,7 @@ Enter password: + Confirm password: + + +- ++ + + + +@@ -2577,7 +2577,7 @@ Enter password: + Confirm password: + + +- ++ + + + +@@ -2601,7 +2601,7 @@ Confirm password: + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + + +- ++ + + + +@@ -2631,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include + password sufficient pam_unix.so sha512 + + +- ++ + + + +@@ -2661,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + Remove any files with the .keytab extension from the operating system. + + +- ++ + + + +@@ -2691,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + $ sudo yum remove krb5-workstation + + +- ++ + + + +@@ -2717,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o + $ sudo yum install policycoreutils + + +- ++ + + + +@@ -2753,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted. + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -2779,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chmod 0640 /var/log/messages + + +- ++ + + + +@@ -2805,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chown root /var/log/messages + + +- ++ + + + +@@ -2831,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chgrp root /var/log/messages + + +- ++ + + + +@@ -2857,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chmod 0755 /var/log + + +- ++ + + + +@@ -2883,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chown root /var/log + + +- ++ + + + +@@ -2909,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the + $ sudo chgrp root /var/log + + +- ++ + + + +@@ -2939,7 +2939,7 @@ SSH_USE_STRONG_RNG=32 + The SSH service must be restarted for changes to take effect. + + +- ++ + + + +@@ -2977,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2 + A reboot is required for the changes to take effect. + + +- ++ + + + +@@ -3005,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod + $ sudo chmod 755 [FILE] + + +- ++ + + + +@@ -3033,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o + $ sudo chown root [FILE] + + +- ++ + + + +@@ -3061,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g + $ sudo chgrp root [FILE] + + +- ++ + + + +@@ -3089,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i + gpgcheck=1 + + +- ++ + + + +@@ -3119,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: + localpkg_gpgcheck=True + + +- ++ + + + + + SRG-OS-000366-GPOS-00153 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010372 + RHEL 8 must prevent the loading of a new kernel for later execution. + <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +@@ -3159,14 +3159,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000312-GPOS-00122 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010373 + RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. + <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +@@ -3203,14 +3203,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000312-GPOS-00122 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010374 + RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. + <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +@@ -3247,14 +3247,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000138-GPOS-00069 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010375 + RHEL 8 must restrict access to the kernel message buffer. + <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +@@ -3291,14 +3291,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000138-GPOS-00069 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010376 + RHEL 8 must prevent kernel profiling by unprivileged users. + <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +@@ -3335,14 +3335,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000373-GPOS-00156 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010380 + RHEL 8 must require users to provide a password for privilege escalation. + <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. +@@ -3358,10 +3358,20 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO + 2921 + + CCI-002038 +- Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. +- ++ Configure the operating system to require users to supply a password for privilege escalation. ++ ++Check the configuration of the "/etc/sudoers" file with the following command: ++$ sudo visudo ++ ++Remove any occurrences of "NOPASSWD" tags in the file. ++ ++Check the configuration of the /etc/sudoers.d/* files with the following command: ++$ sudo grep -ir nopasswd /etc/sudoers.d ++ ++Remove any occurrences of "NOPASSWD" tags in the file. ++ + +- ++ + + + +@@ -3387,7 +3397,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO + Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. + + +- ++ + + + +@@ -3419,14 +3429,14 @@ This requirement only applies to components where this is specific to the functi + $ sudo yum install openssl-pkcs11 + + +- ++ + + + + + SRG-OS-000433-GPOS-00193 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010430 + RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. + <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. +@@ -3459,7 +3469,7 @@ Issue the following command to make the changes take effect: + $ sudo sysctl --system + + +- ++ + + + +@@ -3485,7 +3495,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con + clean_requirements_on_remove=True + + +- ++ + + + +@@ -3515,7 +3525,7 @@ SELINUXTYPE=targeted + A reboot is required for the changes to take effect. + + +- ++ + + + +@@ -3539,7 +3549,7 @@ A reboot is required for the changes to take effect. + $ sudo rm /etc/ssh/shosts.equiv + + +- ++ + + + +@@ -3563,7 +3573,7 @@ $ sudo rm /etc/ssh/shosts.equiv + $ sudo rm /[path]/[to]/[file]/.shosts + + +- ++ + + + +@@ -3591,7 +3601,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3619,7 +3629,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3647,7 +3657,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3673,7 +3683,7 @@ Compression no + The SSH service must be restarted for changes to take effect. + + +- ++ + + + +@@ -3703,7 +3713,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3733,7 +3743,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3755,7 +3765,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/var" path onto a separate file system. + + +- ++ + + + +@@ -3777,7 +3787,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/var/log" path onto a separate file system. + + +- ++ + + + +@@ -3799,7 +3809,7 @@ $ sudo systemctl restart sshd.service + Migrate the system audit data path onto a separate file system. + + +- ++ + + + +@@ -3821,7 +3831,7 @@ $ sudo systemctl restart sshd.service + Migrate the "/tmp" directory onto a separate file system/partition. + + +- ++ + + + +@@ -3851,7 +3861,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -3879,7 +3889,7 @@ $ sudo systemctl start rsyslog.service + $ sudo systemctl enable rsyslog.service + + +- ++ + + + +@@ -3901,7 +3911,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. + + +- ++ + + + +@@ -3923,7 +3933,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. + + +- ++ + + + +@@ -3945,7 +3955,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. + + +- ++ + + + +@@ -3967,7 +3977,7 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. + + +- ++ + + + +@@ -3989,14 +3999,14 @@ $ sudo systemctl enable rsyslog.service + Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010671 + RHEL 8 must disable the kernel.core_pattern. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -4027,7 +4037,7 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + +@@ -4055,7 +4065,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con + * hard core 0 + + +- ++ + + + +@@ -4083,7 +4093,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: + Storage=none + + +- ++ + + + +@@ -4111,7 +4121,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: + ProcessSizeMax=0 + + +- ++ + + + +@@ -4135,7 +4145,7 @@ ProcessSizeMax=0 + CREATE_HOME yes + + +- ++ + + + +@@ -4165,7 +4175,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -4203,7 +4213,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4235,7 +4245,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + deny = 3 + + +- ++ + + + +@@ -4273,7 +4283,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4305,7 +4315,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + fail_interval = 900 + + +- ++ + + + +@@ -4343,7 +4353,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4375,7 +4385,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + unlock_time = 0 + + +- ++ + + + +@@ -4413,7 +4423,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4445,7 +4455,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + silent + + +- ++ + + + +@@ -4485,7 +4495,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4517,7 +4527,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + audit + + +- ++ + + + +@@ -4557,7 +4567,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart + $ sudo systemctl restart sssd.service + + +- ++ + + + +@@ -4589,7 +4599,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: + even_deny_root + + +- ++ + + + +@@ -4617,7 +4627,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con + * hard maxlogins 10 + + +- ++ + + + +@@ -4649,21 +4659,21 @@ Create a global configuration file "/etc/tmux.conf" and add the following line: + set -g lock-command vlock + + +- ++ + + + + + SRG-OS-000028-GPOS-00009 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020041 + RHEL 8 must ensure session control is automatically started at shell initialization. + <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. + + The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + +-Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. ++Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. + + Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + +@@ -4674,18 +4684,18 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion + 2921 + + CCI-000056 +- Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: ++ Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: + +-If [ "$PS1" ]; then ++if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in (sshd|login) exec tmux ;; esac + fi + + This setting will take effect at next logon. +- ++ + +- ++ + + + +@@ -4713,7 +4723,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion + Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. + + +- ++ + + + +@@ -4743,14 +4753,14 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin + password required pam_pwquality.so + + +- ++ + + + + + SRG-OS-000069-GPOS-00037 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020110 + RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4773,14 +4783,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + ucredit = -1 + + +- ++ + + + + + SRG-OS-000070-GPOS-00038 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020120 + RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4803,14 +4813,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + lcredit = -1 + + +- ++ + + + + + SRG-OS-000071-GPOS-00039 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020130 + RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4833,14 +4843,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + dcredit = -1 + + +- ++ + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020140 + RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4863,14 +4873,14 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin + maxclassrepeat = 4 + + +- ++ + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020150 + RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4893,14 +4903,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin + maxrepeat = 3 + + +- ++ + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020160 + RHEL 8 must require the change of at least four character classes when passwords are changed. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4923,14 +4933,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin + minclass = 4 + + +- ++ + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020170 + RHEL 8 must require the change of at least 8 characters when passwords are changed. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -4953,7 +4963,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to + difok = 8 + + +- ++ + + + +@@ -4977,7 +4987,7 @@ difok = 8 + $ sudo chage -m 1 [user] + + +- ++ + + + +@@ -5003,7 +5013,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ + PASS_MIN_DAYS 1 + + +- ++ + + + +@@ -5029,7 +5039,7 @@ Add, or modify the following line in the "/etc/login.defs" file: + PASS_MAX_DAYS 60 + + +- ++ + + + +@@ -5053,7 +5063,7 @@ PASS_MAX_DAYS 60 + $ sudo chage -M 60 [user] + + +- ++ + + + +@@ -5085,14 +5095,14 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have + password required pam_pwhistory.so use_authtok remember=5 retry=3 + + +- ++ + + + + + SRG-OS-000078-GPOS-00046 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020230 + RHEL 8 passwords must have a minimum of 15 characters. + <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. +@@ -5119,7 +5129,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to + minlen = 15 + + +- ++ + + + +@@ -5149,7 +5159,7 @@ Add, or modify the following line in the "/etc/login.defs" file: + PASS_MIN_LEN 15 + + +- ++ + + + +@@ -5179,14 +5189,14 @@ $ sudo useradd -D -f 35 + DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. + + +- ++ + + + + + SRG-OS-000266-GPOS-00101 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020280 + All RHEL 8 passwords must contain at least one special character. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +@@ -5209,14 +5219,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha + ocredit = -1 + + +- ++ + + + + + SRG-OS-000480-GPOS-00225 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-020300 + RHEL 8 must prevent the use of dictionary words for passwords. + <VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +@@ -5235,7 +5245,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a + dictcheck=1 + + +- ++ + + + +@@ -5263,7 +5273,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr + FAIL_DELAY 4 + + +- ++ + + + +@@ -5291,7 +5301,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -5319,7 +5329,7 @@ PrintLastLog yes + The SSH service must be restarted for changes to "sshd_config" to take effect. + + +- ++ + + + +@@ -5345,7 +5355,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 + UMASK 077 + + +- ++ + + + +@@ -5379,7 +5389,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5409,7 +5419,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator + action_mail_acct = root + + +- ++ + + + +@@ -5441,7 +5451,7 @@ disk_error_action = HALT + If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". + + +- ++ + + + +@@ -5475,7 +5485,7 @@ disk_full_action = HALT + If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". + + +- ++ + + + +@@ -5503,7 +5513,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: + local_events = yes + + +- ++ + + + +@@ -5535,7 +5545,7 @@ name_format = hostname + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -5565,7 +5575,7 @@ log_format = ENRICHED + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -5593,7 +5603,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + log_group = root + + +- ++ + + + +@@ -5623,7 +5633,7 @@ $ sudo chown root [audit_log_file] + Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". + + +- ++ + + + +@@ -5651,7 +5661,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + log_group = root + + +- ++ + + + +@@ -5681,7 +5691,7 @@ $ sudo chown root [audit_log_directory] + Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". + + +- ++ + + + +@@ -5711,7 +5721,7 @@ $ sudo chgrp root [audit_log_directory] + Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". + + +- ++ + + + +@@ -5741,7 +5751,7 @@ $ sudo chmod 0700 [audit_log_directory] + Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". + + +- ++ + + + +@@ -5773,7 +5783,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. + + +- ++ + + + +@@ -5803,7 +5813,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + --loginuid-immutable + + +- ++ + + + +@@ -5835,7 +5845,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5867,7 +5877,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5899,7 +5909,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5931,7 +5941,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5963,7 +5973,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -5995,7 +6005,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6027,7 +6037,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6059,7 +6069,7 @@ Install the audit service (if the audit service is not already installed) with t + $ sudo yum install audit + + +- ++ + + + +@@ -6091,7 +6101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6136,7 +6146,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6168,7 +6178,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6200,7 +6210,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6232,7 +6242,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6264,7 +6274,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6296,7 +6306,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6328,7 +6338,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6361,7 +6371,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6393,7 +6403,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6425,7 +6435,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6457,7 +6467,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6489,7 +6499,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6521,7 +6531,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6553,7 +6563,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6585,7 +6595,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6617,7 +6627,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6649,7 +6659,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6681,7 +6691,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6713,7 +6723,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6745,7 +6755,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6780,7 +6790,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6820,7 +6830,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6852,7 +6862,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6885,7 +6895,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6917,7 +6927,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6949,7 +6959,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -6992,7 +7002,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7031,7 +7041,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7069,7 +7079,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7101,7 +7111,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7133,7 +7143,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7165,7 +7175,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7207,7 +7217,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7249,7 +7259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO + The audit daemon must be restarted for the changes to take effect. + + +- ++ + + + +@@ -7275,7 +7285,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules + $ sudo chmod 0640 /etc/audit/auditd.conf + + +- ++ + + + +@@ -7305,7 +7315,7 @@ $ sudo chmod 0755 [audit_tool] + Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. + + +- ++ + + + +@@ -7337,7 +7347,7 @@ $ sudo chown root [audit_tool] + Replace "[audit_tool]" with each audit tool not owned by "root". + + +- ++ + + + +@@ -7369,7 +7379,7 @@ $ sudo chgrp root [audit_tool] + Replace "[audit_tool]" with each audit tool not group-owned by "root". + + +- ++ + + + +@@ -7404,7 +7414,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul + $ sudo yum install rsyslog + + +- ++ + + + +@@ -7439,7 +7449,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul + $ sudo yum install rsyslog-gnutls + + +- ++ + + + +@@ -7471,7 +7481,7 @@ overflow_action = syslog + The audit daemon must be restarted for changes to take effect. + + +- ++ + + + +@@ -7497,7 +7507,7 @@ space_left = 25% + Note: Option names and values in the auditd.conf file are case insensitive. + + +- ++ + + + +@@ -7527,7 +7537,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc + port 0 + + +- ++ + + + +@@ -7557,7 +7567,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc + cmdport 0 + + +- ++ + + + +@@ -7591,7 +7601,7 @@ If a privileged user were to log on using this service, the privileged user pass + $ sudo yum remove telnet-server + + +- ++ + + + +@@ -7621,7 +7631,7 @@ Verify the operating system is configured to disable non-essential capabilities. + $ sudo yum remove abrt* + + +- ++ + + + +@@ -7651,7 +7661,7 @@ Verify the operating system is configured to disable non-essential capabilities. + $ sudo yum remove sendmail + + +- ++ + + + +@@ -7683,7 +7693,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion + $ sudo yum remove rsh-server + + +- ++ + + + +@@ -7716,7 +7726,7 @@ blacklist atm + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7749,7 +7759,7 @@ blacklist can + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7782,7 +7792,7 @@ blacklist sctp + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7815,7 +7825,7 @@ blacklist tipc + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7848,7 +7858,7 @@ blacklist cramfs + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7879,7 +7889,7 @@ blacklist firewire-core + Reboot the system for the settings to take effect. + + +- ++ + + + +@@ -7910,14 +7920,14 @@ blacklist usb-storage + Reboot the system for the settings to take effect. + + +- ++ + + + + + SRG-OS-000300-GPOS-00118 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040111 + RHEL 8 Bluetooth must be disabled. + <VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. +@@ -7933,16 +7943,24 @@ Protecting the confidentiality and integrity of communications with wireless per + 2921 + + CCI-001443 +- Configure the operating system to disable the Bluetooth adapter when not in use. ++ Configure the operating system to disable the Bluetooth adapter when not in use. + + Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: + + install bluetooth /bin/true + ++Disable the ability to use the Bluetooth kernel module. ++ ++$ sudo vi /etc/modprobe.d/blacklist.conf ++ ++Add or update the line: ++ ++blacklist bluetooth ++ + Reboot the system for the settings to take effect. +- ++ + +- ++ + + + +@@ -7972,7 +7990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8000,7 +8018,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8030,7 +8048,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8060,7 +8078,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8088,7 +8106,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8118,7 +8136,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8148,7 +8166,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8178,7 +8196,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8208,7 +8226,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8238,7 +8256,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8268,7 +8286,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8298,7 +8316,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8328,7 +8346,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8358,7 +8376,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8388,7 +8406,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" + /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 + + +- ++ + + + +@@ -8418,7 +8436,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO + $ sudo systemctl enable sshd.service + + +- ++ + + + +@@ -8454,7 +8472,7 @@ Restart the SSH daemon for the settings to take effect. + $ sudo systemctl restart sshd.service + + +- ++ + + + +@@ -8482,7 +8500,7 @@ Reload the daemon for this change to take effect. + $ sudo systemctl daemon-reload + + +- ++ + + + +@@ -8506,7 +8524,7 @@ $ sudo systemctl daemon-reload + $ sudo yum remove tftp-server + + +- ++ + + + +@@ -8530,14 +8548,14 @@ $ sudo yum remove tftp-server + If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040210 + RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +@@ -8568,14 +8586,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040220 + RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. +@@ -8608,14 +8626,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040230 + RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. + <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. +@@ -8647,14 +8665,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040240 + RHEL 8 must not forward IPv6 source-routed packets. + <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +@@ -8685,14 +8703,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040250 + RHEL 8 must not forward IPv6 source-routed packets by default. + <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +@@ -8723,14 +8741,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040260 + RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8761,14 +8779,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040261 + RHEL 8 must not accept router advertisements on all IPv6 interfaces. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8801,14 +8819,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040262 + RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. + <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +@@ -8841,14 +8859,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040270 + RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. +@@ -8881,14 +8899,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040280 + RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +@@ -8919,14 +8937,14 @@ Load settings from all system configuration files with the following command: + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040281 + RHEL 8 must disable access to network bpf syscall from unprivileged processes. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -8955,14 +8973,14 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040282 + RHEL 8 must restrict usage of ptrace to descendant processes. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -8991,14 +9009,14 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040283 + RHEL 8 must restrict exposed kernel pointer addresses access. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9027,14 +9045,14 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040284 + RHEL 8 must disable the use of user namespaces. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9065,14 +9083,14 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040285 + RHEL 8 must use reverse path filtering on all IPv4 interfaces. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9101,7 +9119,7 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + +@@ -9125,7 +9143,7 @@ $ sudo sysctl --system + $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' + + +- ++ + + + +@@ -9157,7 +9175,7 @@ The SSH service must be restarted for changes to take effect: + $ sudo systemctl restart sshd + + +- ++ + + + +@@ -9183,7 +9201,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us + X11UseLocalhost yes + + +- ++ + + + +@@ -9207,7 +9225,7 @@ X11UseLocalhost yes + server_args = -s /var/lib/tftpboot + + +- ++ + + + +@@ -9231,7 +9249,7 @@ server_args = -s /var/lib/tftpboot + $ sudo yum remove vsftpd + + +- ++ + + + +@@ -9259,7 +9277,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose + $ sudo yum remove gssproxy + + +- ++ + + + +@@ -9287,7 +9305,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI + $ sudo yum remove iprutils + + +- ++ + + + +@@ -9315,7 +9333,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. + $ sudo yum remove tuned + + +- ++ + + + +@@ -9345,7 +9363,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + $ sudo yum remove krb5-server + + +- ++ + + + +@@ -9369,14 +9387,14 @@ ALL ALL=(ALL) ALL + ALL ALL=(ALL:ALL) ALL + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010383 + RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". + <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +@@ -9395,14 +9413,14 @@ Defaults !rootpw + Defaults !runaspw + + +- ++ + + + + + SRG-OS-000373-GPOS-00156 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-010384 + RHEL 8 must require re-authentication when using the "sudo" command. + <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +@@ -9427,7 +9445,7 @@ Defaults timestamp_timeout=[value] + Note: The "[value]" must be a number that is greater than or equal to "0". + + +- ++ + + + +@@ -9451,7 +9469,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0". + + +- ++ + + + +@@ -9475,14 +9493,14 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p + Note: Manual changes to the listed file may be overwritten by the "authselect" program. + + +- ++ + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> +- ++ + RHEL-08-040286 + RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +@@ -9513,7 +9531,7 @@ The system configuration files need to be reloaded for the changes to take effec + $ sudo sysctl --system + + +- ++ + + + +@@ -9540,18 +9558,18 @@ Lock an account: + $ sudo passwd -l [username] + + +- ++ + + + + + +- ++ + + + repotool + 5.10 +- 2022-03-28T12:45:12 ++ 2022-06-28T15:27:20 + + + +@@ -11139,17 +11157,16 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note + + + +- ++ + +- RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. ++ RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords. + + Red Hat Enterprise Linux 8 + + If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. + +- ++ + +- + + + +@@ -12630,7 +12647,7 @@ RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 pe + + + +- ++ + + RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. + +@@ -12644,6 +12661,7 @@ Protecting the confidentiality and integrity of communications with wireless per + + + ++ + + + +@@ -13523,7 +13541,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + + + +- ++ + + RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". + +@@ -13533,21 +13551,21 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access + For more information on each of the listed configurations, reference the sudoers(5) manual page. + + +- ++ + + + +- ++ + + + +- ++ + + + + + +- ++ + + RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. + +@@ -13559,9 +13577,8 @@ When operating systems provide the capability to escalate a functional capabilit + + If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. + +- +- +- ++ ++ + + + +@@ -13876,7 +13893,7 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + + +@@ -14163,25 +14180,25 @@ The sysctl --system command will load settings from all system configuration fil + + + +- +- ++ ++ + + +- +- ++ ++ + + + + + + +- +- ++ ++ + + + +- +- ++ ++ + + + +@@ -14189,8 +14206,8 @@ The sysctl --system command will load settings from all system configuration fil + + + +- +- ++ ++ + + + +@@ -14228,8 +14245,8 @@ The sysctl --system command will load settings from all system configuration fil + + + +- +- ++ ++ + + + +@@ -14245,12 +14262,8 @@ The sysctl --system command will load settings from all system configuration fil + + + +- +- +- +- +- +- ++ ++ + + + +@@ -14788,6 +14801,9 @@ The sysctl --system command will load settings from all system configuration fil + + + ++ ++ ++ + + + +@@ -15031,29 +15047,33 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + ++ + +- ++ + + ++ + + + + + +- ++ + + + +- ++ + + ++ + +- ++ + + ++ + + + +@@ -15096,30 +15116,26 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + +- ++ + + +- ++ + + +- ++ + + +- ++ + + +- ++ + + +- +- +- +- +- +- ++ ++ + + + +@@ -15132,7 +15148,7 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + + +@@ -15426,12 +15442,14 @@ The sysctl --system command will load settings from all system configuration fil + oval:mil.disa.stig.rhel8:obj:13602 + + +- ++ ++ + /etc/sudoers + ^(?!#).*\s+NOPASSWD.*$ + 1 + +- ++ ++ + /etc/sudoers.d + ^.*$ + ^(?!#).*\s+NOPASSWD.*$ +@@ -15861,41 +15879,109 @@ The sysctl --system command will load settings from all system configuration fil + ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b + 1 + +- +- /etc/security/pwquality.conf ++ ++ ++ /etc/security ++ ^pwquality\.conf.* + ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ^/etc/security/pwquality\.conf.* ++ ^.*$ ++ ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:19700 ++ oval:mil.disa.stig.rhel8:obj:19701 ++ ++ ++ ++ /etc/security ++ ^pwquality\.conf.*$ + ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + ++ ++ ^/etc/security/pwquality\.conf.*$ ++ .* ++ ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:19800 ++ oval:mil.disa.stig.rhel8:obj:19801 ++ ++ + + /etc/security/pwquality.conf + ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ++ /etc/security ++ ^pwquality\.conf.* + ^\s*maxclassrepeat\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ^/etc/security/pwquality\.conf.* ++ ^.*$ ++ ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:20000 ++ oval:mil.disa.stig.rhel8:obj:20001 ++ ++ ++ ++ /etc/security ++ ^pwquality\.conf.*$ + ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + ++ ++ ^/etc/security/pwquality\.conf.*$ ++ .* ++ ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:20100 ++ oval:mil.disa.stig.rhel8:obj:20101 ++ ++ + + /etc/security/pwquality.conf + ^\s*minclass\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ++ /etc/security ++ ^pwquality\.conf.* + ^\s*difok\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + ++ ++ ^/etc/security/pwquality\.conf.* ++ ^.*$ ++ ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:20300 ++ oval:mil.disa.stig.rhel8:obj:20301 ++ ++ + + /etc/shadow + ^root:[^:]*:[^:]*:0*: +@@ -15959,11 +16045,24 @@ The sysctl --system command will load settings from all system configuration fil + ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b + 1 + +- +- /etc/security/pwquality.conf ++ ++ ^/etc/security/pwquality\.conf.*$ ++ .* + ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + ++ ++ /etc/security ++ ^pwquality\.conf ++ ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ ++ 1 ++ ++ ++ ++ oval:mil.disa.stig.rhel8:obj:20900 ++ oval:mil.disa.stig.rhel8:obj:20901 ++ ++ + + /etc/login.defs + ^\s*PASS_MIN_LEN\s+(\d+)\s*$ +@@ -15979,17 +16078,25 @@ The sysctl --system command will load settings from all system configuration fil + ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/security/pwquality.conf ++ ++ ++ /etc/security ++ ^pwquality\.conf.* + ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + +- +- /etc/pwquality.conf.d/ +- ^.*\.conf$ ++ ++ ^/etc/security/pwquality\.conf.* ++ ^.*$ + ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:21400 ++ oval:mil.disa.stig.rhel8:obj:21401 ++ ++ + + /etc/login.defs + ^\s*FAIL_DELAY\s+(\d+)\s*$ +@@ -16795,6 +16902,12 @@ The sysctl --system command will load settings from all system configuration fil + ^[ \t]*install[ \t]+bluetooth[ \t]+/bin/true[ \t]*$ + 1 + ++ ++ /etc/modprobe.d ++ .* ++ ^[ \t]*blacklist[ \t]+bluetooth[ \t]*$ ++ 1 ++ + + /dev/shm + +@@ -17240,17 +17353,25 @@ The sysctl --system command will load settings from all system configuration fil + ^\s*Defaults\s+\!runaspw\s*$ + 1 + +- ++ ++ + /etc/sudoers +- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ ++ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ + 1 + +- ++ ++ + /etc/sudoers.d + ^.*$ +- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ ++ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ + 1 + ++ ++ ++ oval:mil.disa.stig.rhel8:obj:41600 ++ oval:mil.disa.stig.rhel8:obj:41601 ++ ++ + + /etc/pam.d/system-auth + \bnullok\b +@@ -17791,12 +17912,24 @@ The sysctl --system command will load settings from all system configuration fil + + 1 + ++ ++ 2 ++ ++ ++ 2 ++ + + 0 + + + 0 + ++ ++ 2 ++ ++ ++ 2 ++ + + ^(no|"no")$ + +@@ -17896,12 +18029,12 @@ The sysctl --system command will load settings from all system configuration fil + + + +- ++ + + + repotool + 5.10 +- 2022-03-28T12:45:12 ++ 2022-06-28T15:27:20 + + + + +From b2b2dbba78bb1e182ddfe9e90bd8a8ae5cf33187 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 14:49:09 +0200 +Subject: [PATCH 3/3] Update RHEL8 STIG to V1R7 + +--- + products/rhel8/profiles/stig.profile | 4 ++-- + products/rhel8/profiles/stig_gui.profile | 4 ++-- + tests/data/profile_stability/rhel8/stig.profile | 4 ++-- + tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++-- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 7adbfee5559..4b480bd2c11 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V1R6 ++ version: V1R7 + SMEs: + - mab879 + - ggbecker +@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux 8 V1R6. ++ DISA STIG for Red Hat Enterprise Linux 8 V1R7. + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile +index 665bc1e059d..fa8bc724a5d 100644 +--- a/products/rhel8/profiles/stig_gui.profile ++++ b/products/rhel8/profiles/stig_gui.profile +@@ -1,7 +1,7 @@ + documentation_complete: true + + metadata: +- version: V1R6 ++ version: V1R7 + SMEs: + - mab879 + - ggbecker +@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. ++ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 2a16a82889a..4bee72830d0 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -1,7 +1,7 @@ + title: DISA STIG for Red Hat Enterprise Linux 8 + description: 'This profile contains configuration checks that align to the + +- DISA STIG for Red Hat Enterprise Linux 8 V1R6. ++ DISA STIG for Red Hat Enterprise Linux 8 V1R7 + + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes +@@ -23,7 +23,7 @@ description: 'This profile contains configuration checks that align to the + - Red Hat Containers with a Red Hat Enterprise Linux 8 image' + extends: null + metadata: +- version: V1R6 ++ version: V1R7 + SMEs: + - mab879 + - ggbecker +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index e79776f8e90..ece32d06a6f 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -1,7 +1,7 @@ + title: DISA STIG with GUI for Red Hat Enterprise Linux 8 + description: 'This profile contains configuration checks that align to the + +- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. ++ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. + + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes +@@ -34,7 +34,7 @@ description: 'This profile contains configuration checks that align to the + standard DISA STIG for Red Hat Enterprise Linux 8 profile.' + extends: null + metadata: +- version: V1R6 ++ version: V1R7 + SMEs: + - mab879 + - ggbecker diff --git a/SOURCES/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch b/SOURCES/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch new file mode 100644 index 0000000..ce526cb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch @@ -0,0 +1,187 @@ +From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 17:50:37 +0200 +Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding + +This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and +sysctl_net_ipv4_forward. +--- + .../rule.yml | 44 +++++++++++++++++++ + ...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++ + shared/references/cce-redhat-avail.txt | 1 - + 3 files changed, 61 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml +new file mode 100644 +index 00000000000..7b0066f7c29 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml +@@ -0,0 +1,44 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}' ++ ++rationale: |- ++ IP forwarding permits the kernel to forward packets from one network ++ interface to another. The ability to forward packets between two networks is ++ only appropriate for systems acting as routers. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: CCE-86220-1 ++ ++references: ++ disa: CCI-000366 ++ nist: CM-6(b) ++ srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-040259 ++ ++ocil_clause: 'IP forwarding value is "1" and the system is not router' ++ ++ocil: |- ++ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}} ++ The ability to forward packets is only appropriate for routers. ++ ++fixtext: |- ++ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands: ++ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}} ++ ++srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.' ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: net.ipv4.conf.all.forwarding ++ datatype: int ++ +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var +new file mode 100644 +index 00000000000..2aedd6e6432 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var +@@ -0,0 +1,17 @@ ++documentation_complete: true ++ ++title: net.ipv4.conf.all.forwarding ++ ++description: 'Toggle IPv4 Forwarding' ++ ++type: number ++ ++operator: equals ++ ++interactive: false ++ ++options: ++ default: "0" ++ disabled: "0" ++ enabled: 1 ++ +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 914233f06bf..3e14b73dd71 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -168,7 +168,6 @@ CCE-86216-9 + CCE-86217-7 + CCE-86218-5 + CCE-86219-3 +-CCE-86220-1 + CCE-86221-9 + CCE-86222-7 + CCE-86223-5 + +From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 1 Aug 2022 17:53:32 +0200 +Subject: [PATCH 2/2] Better align with RHEL-08-040259 + +The item is about net.ipv4.conf.all.forwarding +The update to V1R7 made brought this misalignment to light. +--- + .../sysctl_net_ipv4_ip_forward/rule.yml | 1 - + products/rhel8/profiles/stig.profile | 2 +- + tests/data/profile_stability/rhel8/stig.profile | 4 ++-- + tests/data/profile_stability/rhel8/stig_gui.profile | 2 +- + 4 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +index 5c449db7f3a..7acfc0b05b6 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +@@ -45,7 +45,6 @@ references: + stigid@ol7: OL07-00-040740 + stigid@ol8: OL08-00-040260 + stigid@rhel7: RHEL-07-040740 +- stigid@rhel8: RHEL-08-040259 + stigid@sle12: SLES-12-030430 + stigid@sle15: SLES-15-040380 + +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 4b480bd2c11..6b44436a2b1 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -1127,7 +1127,7 @@ selections: + - sysctl_net_ipv6_conf_default_accept_source_route + + # RHEL-08-040259 +- - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv4_conf_all_forwarding + + # RHEL-08-040260 + - sysctl_net_ipv6_conf_all_forwarding +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 4bee72830d0..47f53a9d023 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -1,7 +1,7 @@ + title: DISA STIG for Red Hat Enterprise Linux 8 + description: 'This profile contains configuration checks that align to the + +- DISA STIG for Red Hat Enterprise Linux 8 V1R7 ++ DISA STIG for Red Hat Enterprise Linux 8 V1R7. + + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes +@@ -395,13 +395,13 @@ selections: + - sysctl_net_core_bpf_jit_harden + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_source_route ++- sysctl_net_ipv4_conf_all_forwarding + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts +-- sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_source_route +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index ece32d06a6f..c4e60ddcde5 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -405,13 +405,13 @@ selections: + - sysctl_net_core_bpf_jit_harden + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_source_route ++- sysctl_net_ipv4_conf_all_forwarding + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts +-- sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_source_route diff --git a/SOURCES/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch b/SOURCES/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch new file mode 100644 index 0000000..36aa0be --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch @@ -0,0 +1,89 @@ +From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 9 Aug 2022 17:28:33 +0200 +Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG + profile. + +--- + .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 + + .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 + + products/rhel8/profiles/stig.profile | 14 +++++++------- + tests/data/profile_stability/rhel8/stig.profile | 2 ++ + .../data/profile_stability/rhel8/stig_gui.profile | 2 ++ + 5 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +index 46ea0558a42..1e9c6172758 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +@@ -57,6 +57,7 @@ references: + stigid@ol7: OL07-00-040320 + stigid@ol8: OL08-00-010201 + stigid@rhel7: RHEL-07-040320 ++ stigid@rhel8: RHEL-08-010201 + stigid@sle12: SLES-12-030190 + stigid@sle15: SLES-15-010280 + stigid@ubuntu2004: UBTU-20-010037 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +index 0f0693ddc6c..f6e98a61d9a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +@@ -53,6 +53,7 @@ references: + stigid@ol7: OL07-00-040340 + stigid@ol8: OL08-00-010200 + stigid@rhel7: RHEL-07-040340 ++ stigid@rhel8: RHEL-08-010200 + stigid@sle12: SLES-12-030191 + stigid@sle15: SLES-15-010320 + vmmsrg: SRG-OS-000480-VMM-002000 +diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile +index 6b44436a2b1..124b7520d3a 100644 +--- a/products/rhel8/profiles/stig.profile ++++ b/products/rhel8/profiles/stig.profile +@@ -170,13 +170,13 @@ selections: + # RHEL-08-010190 + - dir_perms_world_writable_sticky_bits + +- # These two items don't behave as they used to in RHEL8.6 and RHEL9 +- # anymore. They will be disabled for now until an alternative +- # solution is found. +- # # RHEL-08-010200 +- # - sshd_set_keepalive_0 +- # # RHEL-08-010201 +- # - sshd_set_idle_timeout ++ # Although these rules have a different behavior in RHEL>=8.6 ++ # they still need to be selected so it follows exactly what STIG ++ # states. ++ # RHEL-08-010200 ++ - sshd_set_keepalive_0 ++ # RHEL-08-010201 ++ - sshd_set_idle_timeout + + # RHEL-08-010210 + - file_permissions_var_log_messages +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 47f53a9d023..6c75d0ae1b1 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -369,6 +369,8 @@ selections: + - sshd_enable_warning_banner + - sshd_print_last_log + - sshd_rekey_limit ++- sshd_set_idle_timeout ++- sshd_set_keepalive_0 + - sshd_use_strong_rng + - sshd_x11_use_localhost + - sssd_certificate_verification +diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile +index c4e60ddcde5..8a7a469b940 100644 +--- a/tests/data/profile_stability/rhel8/stig_gui.profile ++++ b/tests/data/profile_stability/rhel8/stig_gui.profile +@@ -379,6 +379,8 @@ selections: + - sshd_enable_warning_banner + - sshd_print_last_log + - sshd_rekey_limit ++- sshd_set_idle_timeout ++- sshd_set_keepalive_0 + - sshd_use_strong_rng + - sshd_x11_use_localhost + - sssd_certificate_verification diff --git a/SOURCES/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch b/SOURCES/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch new file mode 100644 index 0000000..da41301 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch @@ -0,0 +1,113 @@ +From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Aug 2022 15:57:52 +0200 +Subject: [PATCH 1/2] Accept sudoers files without includes as compliant + +Update rule sudoers_default_includedir to accept as compliant sudoers +files that don't have any #include or #includedir directive +--- + .../oval/shared.xml | 24 +++++++++++++++---- + .../sudo/sudoers_default_includedir/rule.yml | 8 ++++--- + ...cludedir.fail.sh => no_includedir.pass.sh} | 2 +- + 3 files changed, 26 insertions(+), 8 deletions(-) + rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +index 59cab0b89de..629fbe8c6d2 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +@@ -1,10 +1,16 @@ + + + {{{ oval_metadata("Check if sudo includes only the default includedir") }}} +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -32,6 +38,16 @@ + 1 + + ++ ++ ++ ++ ++ /etc/sudoers ++ ^#includedir[\s]+.*$ ++ 1 ++ ++ + + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +index aa2aaee19f8..83bfb0183bd 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +@@ -8,9 +8,11 @@ description: |- + Administrators can configure authorized sudo users via drop-in files, and it is possible to include + other directories and configuration files from the file currently being parsed. + +- Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. +- The /etc/sudoers should contain only one #includedir directive pointing to +- /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories. ++ Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, ++ or that no drop-in file is included. ++ Either the /etc/sudoers should contain only one #includedir directive pointing to ++ /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; ++ Or the /etc/sudoers should not contain any #include or #includedir directives. + Note that the '#' character doesn't denote a comment in the configuration file. + + rationale: |- +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh +similarity index 51% +rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh +rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh +index 1e0ab8aea92..fe73cb25076 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh +@@ -1,4 +1,4 @@ + #!/bin/bash + # platform = multi_platform_all + +-sed -i "/#includedir.*/d" /etc/sudoers ++sed -i "/#include(dir)?.*/d" /etc/sudoers + +From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 12:01:12 +0200 +Subject: [PATCH 2/2] Improve definition's comments + +--- + .../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +index 629fbe8c6d2..82095acc6ed 100644 +--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml ++++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +@@ -8,8 +8,8 @@ + + + +- +- ++ ++ + + + diff --git a/SOURCES/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch b/SOURCES/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch new file mode 100644 index 0000000..19343f2 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch @@ -0,0 +1,358 @@ +From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 09:57:33 +0200 +Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values + +This also removes value '0' from the list of possible configurations. +This change aligns the rule better with STIG. +--- + .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++ + .../tests/value_1.pass.sh | 10 ++++++++++ + .../tests/value_2.pass.sh | 10 ++++++++++ + .../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +- + 4 files changed, 25 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh + create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index 496a8491f32..697f79fa872 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -59,4 +59,8 @@ template: + name: sysctl + vars: + sysctlvar: net.ipv4.conf.all.rp_filter ++ sysctlval: ++ - '1' ++ - '2' ++ wrong_sysctlval_for_testing: "0" + datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +new file mode 100644 +index 00000000000..516bfaf1369 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf ++echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w net.ipv4.conf.all.rp_filter="1" +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +new file mode 100644 +index 00000000000..ef1b8da0479 +--- /dev/null ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf ++echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w net.ipv4.conf.all.rp_filter="2" +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var +index e3fc78e3f05..1eae854f6b0 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var +@@ -17,5 +17,5 @@ interactive: false + + options: + default: 1 +- disabled: "0" + enabled: 1 ++ loose: 2 + +From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 10:53:40 +0200 +Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values + +This also removes value '0' from the list of possible configurations. +This change aligns the rule better with STIG. +--- + .../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++ + .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++ + .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++ + .../sysctl_kernel_kptr_restrict_value.var | 1 - + 4 files changed, 24 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index 1984b3c8691..5706eee0a0a 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -42,6 +42,10 @@ template: + name: sysctl + vars: + sysctlvar: kernel.kptr_restrict ++ sysctlval: ++ - '1' ++ - '2' ++ wrong_sysctlval_for_testing: "0" + datatype: int + + fixtext: |- +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +new file mode 100644 +index 00000000000..e6efae48b25 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf ++echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.kptr_restrict="1" +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +new file mode 100644 +index 00000000000..be3f2b743ef +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf ++echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.kptr_restrict="2" +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var +index 452328e3efd..268550de53d 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var +@@ -12,6 +12,5 @@ interactive: false + + options: + default: 1 +- 0: 0 + 1: 1 + 2: 2 + +From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 11:08:34 +0200 +Subject: [PATCH 3/5] Remove variable selector that will result in error + +The rule only accepts values 1 or 2 as compliant, the XCCDF Variable +cannot have the value 0, it will never result in pass. +--- + .../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +index b8bf965a255..cbfd9bafa91 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +@@ -13,6 +13,5 @@ interactive: false + + options: + default: 2 +- 0: "0" + 1: "1" + 2: "2" + +From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 11:33:03 +0200 +Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol + +For now, the only STIGs I see that adopted this change were RHEL's and +OL's. +--- + .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++ + .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 + + .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 + + .../sysctl_kernel_kptr_restrict/rule.yml | 2 ++ + .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 + + .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 + + 6 files changed, 8 insertions(+) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index 697f79fa872..f04ae37c13d 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -59,8 +59,10 @@ template: + name: sysctl + vars: + sysctlvar: net.ipv4.conf.all.rp_filter ++ {{% if 'ol' in product or 'rhel' in product %}} + sysctlval: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" ++ {{% endif %}} + datatype: int +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +index 516bfaf1369..583b70a3b97 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_ol,multi_platform_rhel + + # Clean sysctl config directories + rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +index ef1b8da0479..ef545976dc6 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_ol,multi_platform_rhel + + # Clean sysctl config directories + rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index 5706eee0a0a..f53e035effa 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -42,10 +42,12 @@ template: + name: sysctl + vars: + sysctlvar: kernel.kptr_restrict ++ {{% if 'ol' in product or 'rhel' in product %}} + sysctlval: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" ++ {{% endif %}} + datatype: int + + fixtext: |- +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +index e6efae48b25..70189666c16 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_ol,multi_platform_rhel + + # Clean sysctl config directories + rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +index be3f2b743ef..209395fa9a1 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = multi_platform_ol,multi_platform_rhel + + # Clean sysctl config directories + rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* + +From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Aug 2022 14:01:40 +0200 +Subject: [PATCH 5/5] Update OCIL check along with the rule + +The OCIL should should mention both compliant values. +--- + .../rule.yml | 29 +++++++++++++++++-- + .../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++- + 2 files changed, 55 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index f04ae37c13d..4d31c6c3ebd 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -47,11 +47,36 @@ references: + stigid@rhel7: RHEL-07-040611 + stigid@rhel8: RHEL-08-040285 + +-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} ++ocil: |- ++ The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried ++ by running the following command: ++
$ sysctl net.ipv4.conf.all.rp_filter
++ The output of the command should indicate either: ++ net.ipv4.conf.all.rp_filter = 1 ++ or: ++ net.ipv4.conf.all.rp_filter = 2 ++ The output of the command should not indicate: ++ net.ipv4.conf.all.rp_filter = 0 ++ ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ ++ The persistent sysctl parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
++ The command should not find any assignments other than: ++ net.ipv4.conf.all.rp_filter = 1 ++ or: ++ net.ipv4.conf.all.rp_filter = 2 ++ ++ Conflicting assignments are not allowed. ++ ++ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0" + + fixtext: |- + Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces. +- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}} ++ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}} + + srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.' + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index f53e035effa..367934b5672 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -34,6 +34,33 @@ references: + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} + ++ocil: |- ++ The runtime status of the kernel.kptr_restrict kernel parameter can be queried ++ by running the following command: ++
$ sysctl kernel.kptr_restrict
++ The output of the command should indicate either: ++ kernel.kptr_restrict = 1 ++ or: ++ kernel.kptr_restrict = 2 ++ The output of the command should not indicate: ++ kernel.kptr_restrict = 0 ++ ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ ++ The persistent kernel parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
++ The command should not find any assignments other than: ++ kernel.kptr_restrict = 1 ++ or: ++ kernel.kptr_restrict = 2 ++ ++ Conflicting assignments are not allowed. ++ ++ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0" ++ + srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.' + + platform: machine +@@ -52,4 +79,4 @@ template: + + fixtext: |- + Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access. +- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}} ++ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}} diff --git a/SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch b/SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch new file mode 100644 index 0000000..1f8f5b0 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch @@ -0,0 +1,1888 @@ +From 81c2f59f42ffa2cf5a611eaeccc40c802bedd6d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 8 Jul 2022 17:51:57 +0200 +Subject: [PATCH 01/23] Remove a rule from RHEL 9 OSPP + +Remove rule sysctl_net_core_bpf_jit_harden from RHEL 9 OSPP. This rule +requires to set net.core.bpf_jit_harden value to 2, the RHEL 9 default +is 1. However, bpf_jit_harden=1 disables kallsyms access from bpf +programs and all users, and it turns on constants blinding by using +random value + XOR for CAP_BPF; so the only thing in which value 1 and 2 +differ is the constants blinding for CAP_SYS_ADMIN processes in the +initial user namespaces. The extra constants blinding with +bpf_jit_harden=2 does not really help with CVE mitigation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2081728 +--- + products/rhel9/profiles/ospp.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 244a421fb48..a7ba9532d2c 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -75,7 +75,6 @@ selections: + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_kernel_unprivileged_bpf_disabled +- - sysctl_net_core_bpf_jit_harden + - service_kdump_disabled + + ### Audit + +From bdcd2bafe5dd68448c0fc13e1aa1be64df607c8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 12 Jul 2022 11:24:42 +0200 +Subject: [PATCH 02/23] Rename IDs in sysctl OVAL template + +The sysctl template uses its sysctlvar parameter value as a part of OVAL +object IDs, test IDs and state IDs. That means we can't have multiple +rules using the sysctl template with the same value of sysctlvar +parameter (only differ in other parameters) because there would be +duplicate elements. We will fix this by using the rule ID as a part of +OVAL object IDs, test IDs and state IDs. That will allow to use the +template for the same sysctlvar in different rules. +--- + .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- + shared/templates/sysctl/oval.template | 156 +++++++++--------- + 2 files changed, 80 insertions(+), 80 deletions(-) + +diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +index 1195cea518f..f971d28a047 100644 +--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +@@ -19,8 +19,8 @@ + + + +- +- ++ ++ + + + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 74583dbee1d..52671c06402 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -5,8 +5,8 @@ + {{%- endif %}} + + {{% macro state_static_sysctld(prefix) -%}} +- +- ++ ++ + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} +@@ -20,13 +20,13 @@ + {{%- if "P" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + + ++ definition_ref="{{{ rule_id }}}_static"/> + ++ definition_ref="{{{ rule_id }}}_runtime"/> + + + +@@ -34,7 +34,7 @@ + {{%- elif "I" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + + {{% if product in ["ubuntu1604", "ubuntu1804"] %}} +@@ -46,9 +46,9 @@ + {{% endif %}} + + ++ definition_ref="{{{ rule_id }}}_static"/> + ++ definition_ref="{{{ rule_id }}}_runtime"/> + + + +@@ -58,33 +58,33 @@ + {{%- if "R" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} + + ++ test_ref="test_{{{ rule_id }}}_runtime"/> + + +- +- +- ++ ++ + + +- ++ + {{{ SYSCTLVAR }}} + + {{% if SYSCTLVAL == "" %}} +- ++ + ++ var_ref="{{{ rule_id }}}_value"/> + + +- + {{%- else %}} +- ++ + {{% if OPERATION == "pattern match" %}} + {{{ SYSCTLVAL_REGEX }}} +@@ -100,46 +100,46 @@ + {{%- if "S" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + + ++ test_ref="test_{{{ rule_id }}}_static"/> + + ++ test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/> + ++ test_ref="test_{{{ rule_id }}}_static_run_sysctld"/> + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++ test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/> + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +- ++ + {{% endif %}} + + + +- + {{{ state_static_sysctld("sysctl") }}} + + +- + {{{ state_static_sysctld("etc_sysctld") }}} + + +- + {{{ state_static_sysctld("run_sysctld") }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- + {{{ state_static_sysctld("usr_lib_sysctld") }}} +@@ -148,79 +148,79 @@ + + {{% if target_oval_version >= [5, 11] %}} + +- +- ++ id="test_{{{ rule_id }}}_defined_in_one_file" version="1"> ++ ++ + + +- +- local_var_unique_sysctl_{{{ SYSCTLID }}}_counter ++ ++ local_var_{{{ rule_id }}}_counter + + +- ++ + 1 + + +- ++ + + +- ++ + + + + +- ++ + +- object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}} +- state_{{{ SYSCTLID }}}_filepath_is_symlink ++ object_{{{ rule_id }}}_static_set_sysctls_unfiltered ++ state_{{{ rule_id }}}_filepath_is_symlink + + + +- +- ++ ++ + + +- ++ + +- ++ + +- ++ + + + +- ++ + +- var_obj_symlink_{{{ SYSCTLID }}} +- var_obj_blank_{{{ SYSCTLID }}} ++ var_obj_symlink_{{{ rule_id }}} ++ var_obj_blank_{{{ rule_id }}} + + + +- +- local_var_blank_path_{{{ SYSCTLID }}} ++ ++ local_var_blank_path_{{{ rule_id }}} + + +- ++ + + + +- +- local_var_symlinks_{{{ SYSCTLID }}} ++ ++ local_var_symlinks_{{{ rule_id }}} + +- ++ + +- ++ + +- ++ + + + + +- +- +- state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}} ++ ++ ++ state_symlink_points_outside_usual_dirs_{{{ rule_id }}} + + + +- ++ + ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ + + {{% endif %}} + +- +- ++ ++ + + + +- ++ + +- object_static_etc_sysctls_{{{ SYSCTLID }}} +- object_static_run_usr_sysctls_{{{ SYSCTLID }}} ++ object_static_etc_sysctls_{{{ rule_id }}} ++ object_static_run_usr_sysctls_{{{ rule_id }}} + + + +- ++ + +- object_static_sysctl_{{{ SYSCTLID }}} +- object_static_etc_sysctld_{{{ SYSCTLID }}} ++ object_static_sysctl_{{{ rule_id }}} ++ object_static_etc_sysctld_{{{ rule_id }}} + + + +- ++ + +- object_static_run_sysctld_{{{ SYSCTLID }}} ++ object_static_run_sysctld_{{{ rule_id }}} + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- object_static_usr_lib_sysctld_{{{ SYSCTLID }}} ++ object_static_usr_lib_sysctld_{{{ rule_id }}} + {{% endif %}} + + + +- ++ + /etc/sysctl.conf + {{{ sysctl_match() }}} + + +- ++ + /etc/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + + +- ++ + /run/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- ++ + /usr/lib/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} +@@ -288,15 +288,15 @@ + {{% endif %}} + {{% if SYSCTLVAL == "" %}} + +- +- ++ + + +- + {{% else %}} +- ++ + {{% if OPERATION == "pattern match" %}} + {{{ SYSCTLVAL_REGEX }}} + {{% else %}} + +From ee5d91aaf33504e56b6959c17c8ebc6006a17a5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 10:16:45 +0200 +Subject: [PATCH 03/23] Use a list of values in sysctl template + +This patch adds an ability to use a list of values instead of a single +value in the sysctlval parameter of the sysctl template. This is useful +for situations when we want to create a rule that passes for multiple +different sysctl values. This commit modifies the OVAL for the runtime +configuration. The runtime configuration will be allowed to be any of +the values in the list. There is an OR relation between the values. In +fact, this is a first step to enable multiple values in the sysctlval +parameter in the sysctl template, because we will also need to check the +static configuration, which is not done in this commit. +--- + shared/templates/sysctl/oval.template | 32 +++++++++++++++++++++++++++ + shared/templates/sysctl/template.py | 24 ++++++++++++-------- + 2 files changed, 47 insertions(+), 9 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 52671c06402..b73ccc94f72 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -1,5 +1,7 @@ + {{%- if SYSCTLVAL == "" %}} + {{%- set COMMENT_VALUE="the appropriate value" %}} ++{{%- elif SYSCTLVAL is sequence %}} ++{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} + {{%- else %}} + {{%- set COMMENT_VALUE=SYSCTLVAL %}} + {{%- endif %}} +@@ -60,21 +62,43 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} ++{{% if SYSCTLVAL is string %}} + + + ++{{% elif SYSCTLVAL is sequence %}} ++ ++{{% for x in SYSCTLVAL %}} ++ ++{{% endfor %}} ++ ++{{% endif %}} + ++ ++{{% if SYSCTLVAL is string %}} + + + + ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++{{% endfor %}} ++{{% endif %}} + + + {{{ SYSCTLVAR }}} + ++{{% if SYSCTLVAL is string %}} + {{% if SYSCTLVAL == "" %}} + + + {{%- endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ {{{ x }}} ++ ++{{% endfor %}} ++{{% endif %}} + + + {{%- endif -%}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index fa981a9dce9..c62591357c0 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -12,6 +12,13 @@ def preprocess(data, lang): + if "operation" not in data: + data["operation"] = "equals" + ++ if data["datatype"] not in ["string", "int"]: ++ raise ValueError( ++ "Test scenarios for data type '{0}' are not implemented yet.\n" ++ "Please check if rule '{1}' has correct data type and edit " ++ "{2} to add tests for it.".format( ++ data["datatype"], data["_rule_id"], __file__)) ++ + # Configure data for test scenarios + if data["sysctlval"] == "": + if data["datatype"] == "int": +@@ -20,20 +27,19 @@ def preprocess(data, lang): + elif data["datatype"] == "string": + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" +- else: ++ elif isinstance(data["sysctlval"], list): ++ if len(data["sysctlval"]) == 0: + raise ValueError( +- "Test scenarios for data type '{0}' are not implemented yet.\n" +- "Please check if rule '{1}' has correct data type and edit " +- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) ++ "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) ++ data["sysctl_correct_value"] = data["sysctlval"][0] ++ if data["datatype"] == "int": ++ data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] ++ elif data["datatype"] == "string": ++ data["sysctl_wrong_value"] = "wrong_value" + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + data["sysctl_wrong_value"] = "1" + data["sysctlval"] + elif data["datatype"] == "string": + data["sysctl_wrong_value"] = "wrong_value" +- else: +- raise ValueError( +- "Test scenarios for data type '{0}' are not implemented yet.\n" +- "Please check if rule '{1}' has correct data type and edit " +- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) + return data + +From c50304234dfac1dcd74b3056c978eec2c097216d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 10:47:51 +0200 +Subject: [PATCH 04/23] Move check unrelated to the test scenarios + +The check for an mepty list is unrelated to the test scenarios, +rather is a generic check to avoid problems during the build. +Therefore, it shouldn't be inside code block that is handling +data for test scenarios, but can be extracted to a sooner position. +--- + shared/templates/sysctl/template.py | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index c62591357c0..421e42c6ca1 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -11,7 +11,12 @@ def preprocess(data, lang): + data["flags"] = "SR" + ipv6_flag + if "operation" not in data: + data["operation"] = "equals" ++ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: ++ raise ValueError( ++ "The sysctlval parameter of {0} is an empty list".format( ++ data["_rule_id"])) + ++ # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + "Test scenarios for data type '{0}' are not implemented yet.\n" +@@ -19,7 +24,6 @@ def preprocess(data, lang): + "{2} to add tests for it.".format( + data["datatype"], data["_rule_id"], __file__)) + +- # Configure data for test scenarios + if data["sysctlval"] == "": + if data["datatype"] == "int": + data["sysctl_correct_value"] = "0" +@@ -28,9 +32,6 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- if len(data["sysctlval"]) == 0: +- raise ValueError( +- "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) + data["sysctl_correct_value"] = data["sysctlval"][0] + if data["datatype"] == "int": + data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] + +From eb1fe4f349e2dcadd9b870e074e679383601be62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 11:57:50 +0200 +Subject: [PATCH 05/23] Allow multiple values in sysctl static configuration + +This extends the OVAL checks for sysctl static configuration +to enable a list of values instead of a single value in the +sysctlval parameter of the sysctl template. The template +will generate OVAL tests for each value in the sysctlval +list. +--- + shared/templates/sysctl/oval.template | 56 +++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index b73ccc94f72..4e1bf3cfce3 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -136,6 +136,7 @@ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + ++{{% if SYSCTLVAL is string %}} + + +@@ -146,6 +147,21 @@ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++{{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ ++{{% endif %}} ++{{% endfor %}} + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +@@ -154,6 +170,7 @@ + + + ++{{% if SYSCTLVAL is string %}} + +@@ -177,6 +194,37 @@ + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + {{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ ++ ++ ++ ++{{% endif %}} ++{{% endfor %}} ++{{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} + + {{% endif %}} ++{{% if SYSCTLVAL is string %}} + {{% if SYSCTLVAL == "" %}} + + +@@ -336,5 +385,12 @@ + {{% endif %}} + + {{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ {{{ x }}} ++ ++{{% endfor %}} ++{{% endif %}} + + {{%- endif -%}} + +From 93d496fb8dda6c47707e27c0b2cad15616261f27 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 14:55:28 +0200 +Subject: [PATCH 06/23] Add option to allow system default + +Introduce new template option `missing_static_pass` to the +systemctl template. If this option is set to `"true"` in rule.yml +the OVAL will be generated in a way that the check will pass if +there is no sysctl static configuration option in the watched sysctl +configuration files. In other words, the OVAL check will pass if +the system default isn't overridden. +--- + shared/templates/sysctl/oval.template | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 4e1bf3cfce3..1719a59f9c7 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -134,6 +134,9 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++{{% endif %}} + + + {{% if SYSCTLVAL is string %}} +@@ -168,8 +171,20 @@ + + {{% endif %}} + ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++ ++{{% endif %}} + + ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++ ++ ++{{% endif %}} ++ + {{% if SYSCTLVAL is string %}} + +Date: Wed, 13 Jul 2022 17:02:35 +0200 +Subject: [PATCH 07/23] Accept multiple values in the sysctl remediation + +A new parameter sysctlval_remediate is introduced to the sysctl +template. This allows to choose which of the multiple values in +the sysctl list will be used in the Bash and Ansible remediations. +--- + docs/templates/template_reference.md | 8 ++++++++ + shared/templates/sysctl/ansible.template | 6 +++--- + shared/templates/sysctl/bash.template | 10 +++++----- + shared/templates/sysctl/template.py | 9 +++++++++ + 4 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index a439e3dca94..5785f1d453f 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -818,6 +818,14 @@ The selected value can be changed in the profile (consult the actual variable fo + - **sysctlval** - value of the sysctl value, eg. `'1'`. If this + parameter is not specified, XCCDF Value is used instead. + ++ - **sysctlval_remediate** - the value that will be used in remediations. ++ If **sysctlval_remediate** is not specified, the template will use the ++ value of the **sysctlval** parameter in the remediations. ++ This parameter is mandatory when the **sysctlval** parameter is a list ++ because we need to know which of the values in the list the system ++ should be remedied to. When the **sysctlval** parameter is not a list ++ this parameter is optional. ++ + - **operation** - operation used for comparison of collected object + with **sysctlval**. Default value: `equals`. + +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index c13bb6637fe..7724db5e5ff 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -21,7 +21,7 @@ + replace: '#{{{ SYSCTLVAR }}}' + loop: "{{ find_sysctl_d.files }}" + +-{{%- if SYSCTLVAL == "" %}} ++{{%- if SYSCTLVAL_REMEDIATE == "" %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) + + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set +@@ -29,10 +29,10 @@ + name: "{{{ SYSCTLVAR }}}" + value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + {{%- else %}} +-- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} ++- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} + sysctl: + name: "{{{ SYSCTLVAR }}}" +- value: "{{{ SYSCTLVAL }}}" ++ value: "{{{ SYSCTLVAL_REMEDIATE }}}" + {{%- endif %}} + state: present + reload: yes +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index d67a59c3886..63948bd5a26 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do + fi + done + +-{{%- if SYSCTLVAL == "" %}} ++{{%- if SYSCTLVAL_REMEDIATE == "" %}} + {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # +@@ -38,11 +38,11 @@ done + # + # Set runtime for {{{ SYSCTLVAR }}} + # +-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" ++/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" + + # +-# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" +-# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf ++# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" ++# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf + # +-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} ++{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} + {{%- endif %}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 421e42c6ca1..2574d5d42b0 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -16,6 +16,15 @@ def preprocess(data, lang): + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + ++ if not data.get("sysctlval_remediate"): ++ if isinstance(data["sysctlval"], list): ++ raise ValueError( ++ "Problem with rule {0}: the 'sysctlval' parameter is a list " ++ "but we are missing the 'sysctlval_remediate' parameter, so " ++ "we don't know how to generate remediation content.".format( ++ data["_rule_id"])) ++ data["sysctlval_remediate"] = data["sysctlval"] ++ + # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + +From 8a3ba3f74760b360e179da221acf7bb06f4bdc12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 17:10:16 +0200 +Subject: [PATCH 08/23] Introduce new rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +This rule is very similar to the existing rule +sysctl_kernel_unprivileged_bpf_disabled, but it allows the sysctl +setting kernel.unprivileged_bpf_disabled to be either 1 or 2. Also, the +rule will pass when the explicit configuration isn't present, allowing +to honor the system's default value which is 2. The goal of this rule is +to prevent unnecessary modification of the RHEL system default value +while still checking for the secure configuration. + +See the explanation in +https://bugzilla.redhat.com/show_bug.cgi?id=2081728: +sysctl_kernel_unprivileged_bpf_disabled sets the +kernel.unprivileged_bpf_disabled value to 1. However, on RHEL 9 the +kernel supports new value 2 which per +https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled +makes it for a privileged admin to re-enable unprivileged BPF. The value +2 is also the RHEL 9 default. So the current +sysctl_kernel_unprivileged_bpf_disabled rule unnecessarily modifies +the RHEL 9 default. +--- + .../rule.yml | 82 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +new file mode 100644 +index 00000000000..f45769dd2d0 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -0,0 +1,82 @@ ++documentation_complete: true ++ ++prodtype: rhel9 ++ ++title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' ++ ++description: |- ++ To prevent unprivileged processes from using the bpf() syscall ++ the kernel.unprivileged_bpf_disabled kernel parameter must ++ be set to 1 or 2. ++ ++ Writing 1 to this entry will disable unprivileged calls to bpf(); once ++ disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. ++ Once set to 1, this can't be cleared from the running kernel anymore. ++ ++ Writing 2 to this entry will also disable unprivileged calls to bpf(), ++ however, an admin can still change this setting later on, if needed, by ++ writing 0 or 1 to this entry. ++ ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ ++rationale: |- ++ Loading and accessing the packet filters programs and maps using the bpf() ++ syscall has the potential of revealing sensitive information about the kernel state. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-87712-6 ++ ++references: ++ disa: CCI-000366 ++ nist: AC-6,SC-7(10) ++ ospp: FMT_SMF_EXT.1 ++ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 ++ stigid@ol8: OL08-00-040281 ++ stigid@rhel8: RHEL-08-040281 ++ ++ocil: |- ++ The runtime status of the kernel.unprivileged_bpf_disabled ++ kernel parameter can be queried by running the following command: ++
$ sysctl kernel.unprivileged_bpf_disabled
++ The output of the command should indicate either: ++ kernel.unprivileged_bpf_disabled = 1 ++ or: ++ kernel.unprivileged_bpf_disabled = 2 ++ The output of the command should not indicate: ++ kernel.unprivileged_bpf_disabled = 0 ++ ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ ++ The persistent kernel parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
++ The command should not find any assignments other than: ++ kernel.unprivileged_bpf_disabled = 1 ++ or: ++ kernel.unprivileged_bpf_disabled = 2 ++ ++ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. ++ ++ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" ++ ++fixtext: |- ++ Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. ++ ++srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: kernel.unprivileged_bpf_disabled ++ sysctlval: ++ - '1' ++ - '2' ++ sysctlval_remediate: "2" ++ missing_static_pass: "true" ++ datatype: int +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 914233f06bf..2c2cf12cafe 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1435,7 +1435,6 @@ CCE-87708-4 + CCE-87709-2 + CCE-87710-0 + CCE-87711-8 +-CCE-87712-6 + CCE-87713-4 + CCE-87714-2 + CCE-87715-9 + +From 0327b48990c2cf35aeff8adf63a2102378e43c54 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 17:21:50 +0200 +Subject: [PATCH 09/23] Add test scenarios for rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +--- + .../tests/system_default.pass.sh | 5 +++++ + .../tests/test_config.yml | 6 ++++++ + .../tests/value_0.fail.sh | 11 +++++++++++ + .../tests/value_1.pass.sh | 11 +++++++++++ + .../tests/value_2.pass.sh | 11 +++++++++++ + 5 files changed, 44 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +new file mode 100644 +index 00000000000..b9776227bdb +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +new file mode 100644 +index 00000000000..dbac89b4caa +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -0,0 +1,6 @@ ++deny_templated_scenarios: ++ - line_not_there.fail.sh ++ - comment.fail.sh ++ - wrong_value.fail.sh ++ - wrong_value_d_directory.fail.sh ++ - wrong_runtime.fail.sh +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +new file mode 100644 +index 00000000000..9f19e0140b4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="0" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +new file mode 100644 +index 00000000000..e976db594c8 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="1" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +new file mode 100644 +index 00000000000..b1537175eb4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="2" + +From 52415b3effb7bf80038b8d866982fd44c8c45312 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 09:14:53 +0200 +Subject: [PATCH 10/23] Use rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +Use rule sysctl_kernel_unprivileged_bpf_disabled_accept_default +instead of the rule sysctl_kernel_unprivileged_bpf_disabled +in the RHEL 9 OSPP profile. +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index a7ba9532d2c..19e4878c4b0 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -74,7 +74,7 @@ selections: + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces +- - sysctl_kernel_unprivileged_bpf_disabled ++ - sysctl_kernel_unprivileged_bpf_disabled_accept_default + - service_kdump_disabled + + ### Audit + +From 4ff536a006a9d25c9c90a1b1e5fce0f957c51c28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 09:25:26 +0200 +Subject: [PATCH 11/23] Document that sysctlval can be a list + +--- + docs/templates/template_reference.md | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 5785f1d453f..716407fd5c9 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -815,7 +815,8 @@ The selected value can be changed in the profile (consult the actual variable fo + + - **datatype** - data type of the sysctl value, eg. `int`. + +- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this ++ - **sysctlval** - value of the sysctl value. This can be either an atomic ++ value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this + parameter is not specified, XCCDF Value is used instead. + + - **sysctlval_remediate** - the value that will be used in remediations. + +From df27fec11a6e8037288ee8cf5b7bfc7d05537f33 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:00:59 +0200 +Subject: [PATCH 12/23] Document the missing_static_pass option + +--- + docs/templates/template_reference.md | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 716407fd5c9..65da697b808 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -827,6 +827,11 @@ The selected value can be changed in the profile (consult the actual variable fo + should be remedied to. When the **sysctlval** parameter is not a list + this parameter is optional. + ++ - **missing_static_pass** - if set to `true` the check will pass if the ++ setting for the given **sysctlvar** is not present in sysctl ++ configuration files. In other words, the check will pass if the system ++ default isn't overriden by configuration. Default value: `false`. ++ + - **operation** - operation used for comparison of collected object + with **sysctlval**. Default value: `equals`. + + +From e8b8497d32d84282d7f34d83f3661c02235d33cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:03:53 +0200 +Subject: [PATCH 13/23] Introduce sysctlval_wrong parameter + +When the `sysctalval` parameter is a list, this parameter will be +substitued into the SYSCTL_WRONG_VALUE parameter in test scenarios. This +is better than current computing of the SYSCTL_WRONG_VALUE parameter +which is done by prepending "1" to the string value, because the +computed value could be invalid and the `sysctl -w` command used in the +test scenario wrong_runtime.fail.sh could fail to set the value to +SYSCTL_WRONG_VALUE therefore not changing the runtime. If at the same +time the `missing_static_pass` is set to `true` and the system is set to +system default, then the unchanged runtime would cause the check to pass +and therefore the test scenario wrong_runtime.fail.sh to error. +--- + docs/templates/template_reference.md | 3 +++ + .../rule.yml | 1 + + shared/templates/sysctl/template.py | 7 ++----- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 65da697b808..7e1fc7049cf 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -827,6 +827,9 @@ The selected value can be changed in the profile (consult the actual variable fo + should be remedied to. When the **sysctlval** parameter is not a list + this parameter is optional. + ++ - **sysctlval_wrong** - the value that is always wrong. This will be used ++ only in the test scenarios only if **sysctlval** is a list. ++ + - **missing_static_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index f45769dd2d0..ddff15dff8f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -78,5 +78,6 @@ template: + - '1' + - '2' + sysctlval_remediate: "2" ++ sysctlval_wrong: "0" + missing_static_pass: "true" + datatype: int +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 2574d5d42b0..96663694997 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -41,11 +41,8 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- data["sysctl_correct_value"] = data["sysctlval"][0] +- if data["datatype"] == "int": +- data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] +- elif data["datatype"] == "string": +- data["sysctl_wrong_value"] = "wrong_value" ++ data["sysctl_correct_value"] = data["sysctlval_remediate"] ++ data["sysctl_wrong_value"] = data["sysctlval_wrong"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + +From 5f391a7053f7ce18dd34c45a1d319d65b78348d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:23:59 +0200 +Subject: [PATCH 14/23] Change test_config.yml + +--- + .../tests/test_config.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +index dbac89b4caa..c379680e25c 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -1,6 +1,6 @@ + deny_templated_scenarios: ++ # this rule uses missing_static_pass: true which means the check should pass ++ # if the configuration is missing (or commented out) therefore we disable ++ # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh + - comment.fail.sh +- - wrong_value.fail.sh +- - wrong_value_d_directory.fail.sh +- - wrong_runtime.fail.sh + +From 92207a9bd11df0e69bf732e27fb91e5db270f7f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 15 Jul 2022 10:36:05 +0200 +Subject: [PATCH 15/23] Simplify sysctl template + +Instead of using multiple OVAL tests in OR relation we can have +a single OVAL test containing multiple OVAL states in OR relation. +That will simplify the code. +--- + shared/templates/sysctl/oval.template | 82 +++++---------------------- + 1 file changed, 13 insertions(+), 69 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 1719a59f9c7..8241c391ad2 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -8,7 +8,13 @@ + + {{% macro state_static_sysctld(prefix) -%}} + ++{{% if SYSCTLVAL is string %}} + ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++{{% endfor %}} ++{{% endif %}} + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} +@@ -62,38 +68,24 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} +-{{% if SYSCTLVAL is string %}} + + + +-{{% elif SYSCTLVAL is sequence %}} +- +-{{% for x in SYSCTLVAL %}} +- +-{{% endfor %}} +- +-{{% endif %}} + + +-{{% if SYSCTLVAL is string %}} + ++ check="all" check_existence="all_exist" state_operator="OR"> + ++{{% if SYSCTLVAL is string %}} + +- + {{% elif SYSCTLVAL is sequence %}} + {{% for x in SYSCTLVAL %}} +- +- + +- + {{% endfor %}} + {{% endif %}} ++ + + + {{{ SYSCTLVAR }}} +@@ -139,7 +131,6 @@ + {{% endif %}} + + +-{{% if SYSCTLVAL is string %}} + + +@@ -150,21 +141,6 @@ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + +-{{% endif %}} +-{{% elif SYSCTLVAL is sequence %}} +-{{% for x in SYSCTLVAL %}} +- +- +- +- +-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- +-{{% endif %}} +-{{% endfor %}} + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +@@ -185,61 +161,29 @@ +
+ {{% endif %}} + +-{{% if SYSCTLVAL is string %}} + ++ comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR"> + {{{ state_static_sysctld("sysctl") }}} + + + ++ comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("etc_sysctld") }}} + + + ++ comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("run_sysctld") }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + {{% endif %}} +-{{% elif SYSCTLVAL is sequence %}} +-{{% for x in SYSCTLVAL %}} +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- +- +- +- +-{{% endif %}} +-{{% endfor %}} +-{{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} + +Date: Mon, 25 Jul 2022 15:40:24 +0200 +Subject: [PATCH 16/23] Replace the sysctlval_remediate template parameter + +Replace the sysctlval_remediate template parameter by using an XCCDF +value. The variable would be only used in the remediation and would +allow users to tailor the value, instead of the current solution where +the value is hardcoded and can be only changed during build time. +--- + docs/templates/template_reference.md | 21 +++++++++---------- + .../rule.yml | 1 - + products/rhel9/profiles/ospp.profile | 1 + + shared/templates/sysctl/ansible.template | 6 +++--- + shared/templates/sysctl/bash.template | 10 ++++----- + shared/templates/sysctl/template.py | 11 +--------- + 6 files changed, 20 insertions(+), 30 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 7e1fc7049cf..00f991daae7 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -815,17 +815,16 @@ The selected value can be changed in the profile (consult the actual variable fo + + - **datatype** - data type of the sysctl value, eg. `int`. + +- - **sysctlval** - value of the sysctl value. This can be either an atomic +- value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this +- parameter is not specified, XCCDF Value is used instead. +- +- - **sysctlval_remediate** - the value that will be used in remediations. +- If **sysctlval_remediate** is not specified, the template will use the +- value of the **sysctlval** parameter in the remediations. +- This parameter is mandatory when the **sysctlval** parameter is a list +- because we need to know which of the values in the list the system +- should be remedied to. When the **sysctlval** parameter is not a list +- this parameter is optional. ++ - **sysctlval** - value of the sysctl value. This can be either not ++ specified, or an atomic value, eg. `'1'`, or a list of values, ++ eg. `['1','2']`. ++ - If this parameter is not specified, an XCCDF Value is used instead ++ in OVAL check and remediations. ++ - If this parameter is set to an atomic value, this atomic value ++ will be used in OVAL check and remediations. ++ - If this parameter is set to a list of values, the list will be used ++ in the OVAL check, but won't be used in the remediations. ++ All remediations will use an XCCDF value instead. + + - **sysctlval_wrong** - the value that is always wrong. This will be used + only in the test scenarios only if **sysctlval** is a list. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index ddff15dff8f..9936ed777c8 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -77,7 +77,6 @@ template: + sysctlval: + - '1' + - '2' +- sysctlval_remediate: "2" + sysctlval_wrong: "0" + missing_static_pass: "true" + datatype: int +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 19e4878c4b0..b47630c62b0 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -75,6 +75,7 @@ selections: + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_kernel_unprivileged_bpf_disabled_accept_default ++ - sysctl_kernel_unprivileged_bpf_disabled_value=2 + - service_kdump_disabled + + ### Audit +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index 7724db5e5ff..edc4d3fb667 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -21,7 +21,7 @@ + replace: '#{{{ SYSCTLVAR }}}' + loop: "{{ find_sysctl_d.files }}" + +-{{%- if SYSCTLVAL_REMEDIATE == "" %}} ++{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) + + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set +@@ -29,10 +29,10 @@ + name: "{{{ SYSCTLVAR }}}" + value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + {{%- else %}} +-- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} ++- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} + sysctl: + name: "{{{ SYSCTLVAR }}}" +- value: "{{{ SYSCTLVAL_REMEDIATE }}}" ++ value: "{{{ SYSCTLVAL }}}" + {{%- endif %}} + state: present + reload: yes +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 63948bd5a26..cd3424b0228 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do + fi + done + +-{{%- if SYSCTLVAL_REMEDIATE == "" %}} ++{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # +@@ -38,11 +38,11 @@ done + # + # Set runtime for {{{ SYSCTLVAR }}} + # +-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" ++/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" + + # +-# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" +-# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf ++# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" ++# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf + # +-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} ++{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} + {{%- endif %}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 96663694997..2b779f99a62 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -16,15 +16,6 @@ def preprocess(data, lang): + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + +- if not data.get("sysctlval_remediate"): +- if isinstance(data["sysctlval"], list): +- raise ValueError( +- "Problem with rule {0}: the 'sysctlval' parameter is a list " +- "but we are missing the 'sysctlval_remediate' parameter, so " +- "we don't know how to generate remediation content.".format( +- data["_rule_id"])) +- data["sysctlval_remediate"] = data["sysctlval"] +- + # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( +@@ -41,7 +32,7 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- data["sysctl_correct_value"] = data["sysctlval_remediate"] ++ data["sysctl_correct_value"] = data["sysctlval"][0] + data["sysctl_wrong_value"] = data["sysctlval_wrong"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + +From 817b47544b4a62aad8153360839bb14dd607d46d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 15:47:11 +0200 +Subject: [PATCH 17/23] Rename a template parameter + +Rename the sysctlval_wrong parameter to wrong_sysctlval_for_testing +--- + docs/templates/template_reference.md | 4 ++-- + .../rule.yml | 2 +- + shared/templates/sysctl/template.py | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 00f991daae7..4e6357c1579 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -826,8 +826,8 @@ The selected value can be changed in the profile (consult the actual variable fo + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + +- - **sysctlval_wrong** - the value that is always wrong. This will be used +- only in the test scenarios only if **sysctlval** is a list. ++ - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used ++ only in the templated test scenarios only if **sysctlval** is a list. + + - **missing_static_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 9936ed777c8..b8af4f7560d 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -77,6 +77,6 @@ template: + sysctlval: + - '1' + - '2' +- sysctlval_wrong: "0" ++ wrong_sysctlval_for_testing: "0" + missing_static_pass: "true" + datatype: int +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 2b779f99a62..9083a6a4185 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -33,7 +33,7 @@ def preprocess(data, lang): + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): + data["sysctl_correct_value"] = data["sysctlval"][0] +- data["sysctl_wrong_value"] = data["sysctlval_wrong"] ++ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + +From ed48698e95f96891889fa2c2039172015ae9f069 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 15:56:26 +0200 +Subject: [PATCH 18/23] Rename parameter missing_static_pass + +Rename the parameter missing_static_pass to missing_parameter_pass +to make the naming consistent with other templates where a parameter +with a similar meaning exist. +--- + docs/templates/template_reference.md | 2 +- + .../rule.yml | 2 +- + .../tests/test_config.yml | 2 +- + shared/templates/sysctl/oval.template | 6 +++--- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 4e6357c1579..0fff58c0a23 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -829,7 +829,7 @@ The selected value can be changed in the profile (consult the actual variable fo + - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used + only in the templated test scenarios only if **sysctlval** is a list. + +- - **missing_static_pass** - if set to `true` the check will pass if the ++ - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system + default isn't overriden by configuration. Default value: `false`. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index b8af4f7560d..7d8769a913f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -78,5 +78,5 @@ template: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" +- missing_static_pass: "true" ++ missing_parameter_pass: "true" + datatype: int +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +index c379680e25c..5cf68074050 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -1,5 +1,5 @@ + deny_templated_scenarios: +- # this rule uses missing_static_pass: true which means the check should pass ++ # this rule uses missing_parameter_pass: true which means the check should pass + # if the configuration is missing (or commented out) therefore we disable + # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 8241c391ad2..1a7c4979bbe 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -126,7 +126,7 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + {{% endif %}} + +@@ -147,13 +147,13 @@ + + {{% endif %}} + +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + + {{% endif %}} + + +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + +From f022f549c6d0b5bc0d24c5d1b7c606d23efbd6d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 16:26:03 +0200 +Subject: [PATCH 19/23] Add a variable + sysctl_kernel_unprivileged_bpf_disabled_value + +--- + ..._kernel_unprivileged_bpf_disabled_value.var | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +new file mode 100644 +index 00000000000..b8bf965a255 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++title: kernel.unprivileged_bpf_disabled ++ ++description: |- ++ Prevent unprivileged processes from using the bpf() syscall. ++ ++type: number ++ ++operator: equals ++ ++interactive: false ++ ++options: ++ default: 2 ++ 0: "0" ++ 1: "1" ++ 2: "2" + +From 4c8ef02cc91c821d56c061f6d8e2ba1675d0c414 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:09 +0200 +Subject: [PATCH 20/23] Improve documentation of the sysctl template + +--- + docs/templates/template_reference.md | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 0fff58c0a23..e73b95450fe 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -819,15 +819,19 @@ The selected value can be changed in the profile (consult the actual variable fo + specified, or an atomic value, eg. `'1'`, or a list of values, + eg. `['1','2']`. + - If this parameter is not specified, an XCCDF Value is used instead +- in OVAL check and remediations. ++ in OVAL check and remediations. The XCCDF Value should have a file ++ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, ++ where the `escaped_sysctlvar` is a value of the **sysctlvar** ++ parameter in which all characters that don't match the `\w` regular ++ expression are replaced by an underscore (`_`). + - If this parameter is set to an atomic value, this atomic value + will be used in OVAL check and remediations. + - If this parameter is set to a list of values, the list will be used + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + +- - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used +- only in the templated test scenarios only if **sysctlval** is a list. ++ - **wrong_sysctlval_for_testing** - the value that is always wrong. This ++ will be used in templated test scenarios when **sysctlval** is a list. + + - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + +From 0f89cab50807ecf75269acc49e0c290c139beea6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:34 +0200 +Subject: [PATCH 21/23] Remove RHEL 8 STIG ID + +--- + .../rule.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 7d8769a913f..ec3b5aef82f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -33,8 +33,6 @@ references: + nist: AC-6,SC-7(10) + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 +- stigid@ol8: OL08-00-040281 +- stigid@rhel8: RHEL-08-040281 + + ocil: |- + The runtime status of the kernel.unprivileged_bpf_disabled + +From 5c2116eb08b84c43d644f6ce51744732a63fb206 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:47 +0200 +Subject: [PATCH 22/23] Fix a typo + +--- + .../rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index ec3b5aef82f..589deccb0c7 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -62,7 +62,7 @@ ocil: |- + ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" + + fixtext: |- +- Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. ++ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. + + srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' + + +From 22e5a11f3232234a939dc6a806752b1fa5c69ce4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 27 Jul 2022 10:36:04 +0200 +Subject: [PATCH 23/23] Mention both values 1 and 2 in the rule description + +--- + .../rule.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 589deccb0c7..259d1f901c6 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -13,11 +13,13 @@ description: |- + disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. + Once set to 1, this can't be cleared from the running kernel anymore. + ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ + Writing 2 to this entry will also disable unprivileged calls to bpf(), + however, an admin can still change this setting later on, if needed, by + writing 0 or 1 to this entry. + +- {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} + + rationale: |- + Loading and accessing the packet filters programs and maps using the bpf() diff --git a/SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch b/SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch new file mode 100644 index 0000000..7e5ee66 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch @@ -0,0 +1,92 @@ +From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 8 Aug 2022 14:34:34 +0200 +Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about + configuring queues + +--- + .../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index 4ce56d2e6a5..c73d9ec95a6 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -90,3 +90,20 @@ fixtext: |- + *.* @@[remoteloggingserver]:[port]" + + srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.' ++ ++warnings: ++ - functionality: |- ++ It is important to configure queues in case the client is sending log ++ messages to a remote server. If queues are not configured, there is a ++ danger that the system will stop functioning in case that the connection ++ to the remote server is not available. Please consult Rsyslog ++ documentation for more information about configuration of queues. The ++ example configuration which should go into /etc/rsyslog.conf ++ can look like the following lines: ++
++        $ActionQueueType LinkedList
++        $ActionQueueFileName somenameforprefix
++        $ActionQueueMaxDiskSpace 1g
++        $ActionQueueSaveOnShutdown on
++        $ActionResumeRetryCount -1
++        
+ +From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001 +From: vojtapolasek +Date: Tue, 9 Aug 2022 09:41:00 +0200 +Subject: [PATCH 2/3] Apply suggestions from code review + +Co-authored-by: Watson Yuuma Sato +--- + .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index c73d9ec95a6..706d3265a08 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -95,14 +95,14 @@ warnings: + - functionality: |- + It is important to configure queues in case the client is sending log + messages to a remote server. If queues are not configured, there is a +- danger that the system will stop functioning in case that the connection ++ the system will stop functioning when the connection + to the remote server is not available. Please consult Rsyslog + documentation for more information about configuration of queues. The + example configuration which should go into /etc/rsyslog.conf + can look like the following lines: +
+         $ActionQueueType LinkedList
+-        $ActionQueueFileName somenameforprefix
++        $ActionQueueFileName queuefilename
+         $ActionQueueMaxDiskSpace 1g
+         $ActionQueueSaveOnShutdown on
+         $ActionResumeRetryCount -1
+
+From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
+From: vojtapolasek 
+Date: Tue, 9 Aug 2022 10:55:04 +0200
+Subject: [PATCH 3/3] Update
+ linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+
+Co-authored-by: Watson Yuuma Sato 
+---
+ .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+index 706d3265a08..cce4d5cac1d 100644
+--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
+ warnings:
+     - functionality: |-
+         It is important to configure queues in case the client is sending log
+-        messages to a remote server. If queues are not configured, there is a
++        messages to a remote server. If queues are not configured,
+         the system will stop functioning when the connection
+         to the remote server is not available. Please consult Rsyslog
+         documentation for more information about configuration of queues. The
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 1f845a8..088ccfa 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -6,7 +6,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.63
-Release:	1%{?dist}
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@@ -19,6 +19,21 @@ BuildArch:	noarch
 
 # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
 Patch0:		disable-not-in-good-shape-profiles.patch
+Patch1:		scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
+Patch2:		scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
+Patch3:		scap-security-guide-0.1.64-stig_aide-PR_9282.patch
+Patch4:		scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
+Patch5:		scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
+Patch6:		scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
+Patch7:		scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
+Patch8:		scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
+Patch9:		scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
+Patch10:		scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
+Patch11:		scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
+Patch12:		scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
+Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
+Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
+Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
 
 BuildRequires:	libxslt
 BuildRequires:	expat
@@ -123,6 +138,18 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif
 
 %changelog
+* Mon Aug 15 2022 Watson Sato  - 0.1.63-3
+- Fix Ansible partition conditional (RHBZ#2032403)
+
+* Wed Aug 10 2022 Vojtech Polasek  - 0.1.63-2
+- aligning with the latest STIG update (RHBZ#2112937)
+- OSPP: use Authselect minimal profile (RHBZ#2117192)
+- OSPP: change rules for protecting of boot (RHBZ#2116440)
+- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
+- fix handling of Defaults clause in sudoers (RHBZ#2083109)
+- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
+- fix handling of Rsyslog include directives (RHBZ#2075384)
+
 * Mon Aug 01 2022 Vojtech Polasek  - 0.1.63-1
 - Rebase to a new upstream release 0.1.63 (RHBZ#2070564)