import scap-security-guide-0.1.66-1.el9_1
This commit is contained in:
parent
35287615a6
commit
7b3a89c2e4
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/scap-security-guide-0.1.63.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.66.tar.bz2
|
||||
|
@ -1 +1 @@
|
||||
b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2
|
||||
fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2
|
||||
|
File diff suppressed because one or more lines are too long
@ -1,90 +0,0 @@
|
||||
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:15 +0200
|
||||
Subject: [PATCH 1/4] fix ospp references
|
||||
|
||||
---
|
||||
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
index c151d3c4aa1..f9b46c51ddd 100644
|
||||
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||
@@ -34,6 +34,7 @@ references:
|
||||
disa: CCI-000213
|
||||
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
|
||||
nist: AC-3
|
||||
+ ospp: FIA_UAU.1,FIA_AFL.1
|
||||
srg: SRG-OS-000480-GPOS-00227
|
||||
|
||||
ocil: |-
|
||||
|
||||
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:42 +0200
|
||||
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index b47630c62b0..dcc41970043 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -115,7 +115,7 @@ selections:
|
||||
- coredump_disable_storage
|
||||
- coredump_disable_backtraces
|
||||
- service_systemd-coredump_disabled
|
||||
- - var_authselect_profile=sssd
|
||||
+ - var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
- use_pam_wheel_for_su
|
||||
|
||||
|
||||
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:45:54 +0200
|
||||
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
|
||||
|
||||
---
|
||||
products/rhel8/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index 39ad1797c7a..ebec8a3a6f9 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -220,7 +220,7 @@ selections:
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- accounts_max_concurrent_login_sessions
|
||||
- securetty_root_login_console_only
|
||||
- - var_authselect_profile=sssd
|
||||
+ - var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
- var_password_pam_unix_remember=5
|
||||
- accounts_password_pam_unix_remember
|
||||
|
||||
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 13:55:05 +0200
|
||||
Subject: [PATCH 4/4] update profile stability test
|
||||
|
||||
---
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index 5d73a8c6fef..21e93e310d5 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -242,7 +242,7 @@ selections:
|
||||
- var_slub_debug_options=P
|
||||
- var_auditd_flush=incremental_async
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
-- var_authselect_profile=sssd
|
||||
+- var_authselect_profile=minimal
|
||||
- var_password_pam_unix_remember=5
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
@ -1,302 +0,0 @@
|
||||
From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 27 Jul 2022 13:49:05 +0200
|
||||
Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index dcc41970043..0902abf58db 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -110,10 +110,7 @@ selections:
|
||||
- package_gnutls-utils_installed
|
||||
|
||||
### Login
|
||||
- - disable_users_coredumps
|
||||
- sysctl_kernel_core_pattern
|
||||
- - coredump_disable_storage
|
||||
- - coredump_disable_backtraces
|
||||
- service_systemd-coredump_disabled
|
||||
- var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
|
||||
From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 12:17:27 +0200
|
||||
Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL
|
||||
|
||||
actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
|
||||
I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
|
||||
---
|
||||
shared/templates/sysctl/oval.template | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
||||
index 1a7c4979bbe..e0c6f72f928 100644
|
||||
--- a/shared/templates/sysctl/oval.template
|
||||
+++ b/shared/templates/sysctl/oval.template
|
||||
@@ -17,13 +17,8 @@
|
||||
{{% endif %}}
|
||||
{{%- endmacro -%}}
|
||||
{{%- macro sysctl_match() -%}}
|
||||
-{{%- if SYSCTLVAL == "" -%}}
|
||||
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
|
||||
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
-{{%- else -%}}
|
||||
<ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
-{{%- endif -%}}
|
||||
{{%- endmacro -%}}
|
||||
{{%- if "P" in FLAGS -%}}
|
||||
|
||||
|
||||
From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 13:00:45 +0200
|
||||
Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid
|
||||
|
||||
---
|
||||
.../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++
|
||||
2 files changed, 36 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..7fa36fb940e
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
@@ -0,0 +1,36 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||
+
|
||||
+title: 'Configure file name of core dumps'
|
||||
+
|
||||
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ The default coredump filename is <pre>core</pre>. By setting
|
||||
+ <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
|
||||
+ <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
|
||||
+ <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
|
||||
+ <pre>.PID</pre> will be appended to the filename.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-86003-1
|
||||
+
|
||||
+references:
|
||||
+ ospp: FMT_SMF_EXT.1
|
||||
+
|
||||
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||
+
|
||||
+ocil: |-
|
||||
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: kernel.core_uses_pid
|
||||
+ datatype: int
|
||||
+ sysctlval: '0'
|
||||
|
||||
From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 09:08:37 +0200
|
||||
Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string
|
||||
|
||||
---
|
||||
.../rule.yml | 49 +++++++++++++++++++
|
||||
2 files changed, 49 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..089bb1481aa
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
@@ -0,0 +1,49 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||
+
|
||||
+title: 'Disable storing core dumps'
|
||||
+
|
||||
+description: |-
|
||||
+ The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
|
||||
+ name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
|
||||
+ behaves differently based on another related option. If
|
||||
+ <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
|
||||
+ <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
|
||||
+ created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
|
||||
+ <tt>0</tt>, no coredump is saved.
|
||||
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
|
||||
+
|
||||
+rationale: |-
|
||||
+ A core dump includes a memory image taken at the time the operating system
|
||||
+ terminates an application. The memory image could contain sensitive data and is generally useful
|
||||
+ only for developers trying to debug problems.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+requires:
|
||||
+ - sysctl_kernel_core_uses_pid
|
||||
+
|
||||
+conflicts:
|
||||
+ - sysctl_kernel_core_pattern
|
||||
+
|
||||
+identifiers:
|
||||
+ cce@rhel9: CCE-86005-6
|
||||
+
|
||||
+references:
|
||||
+ ospp: FMT_SMF_EXT.1
|
||||
+
|
||||
+ocil_clause: |-
|
||||
+ the returned line does not have a value of ''.
|
||||
+
|
||||
+ocil: |
|
||||
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
|
||||
+
|
||||
+platform: machine
|
||||
+
|
||||
+template:
|
||||
+ name: sysctl
|
||||
+ vars:
|
||||
+ sysctlvar: kernel.core_pattern
|
||||
+ sysctlval: "''"
|
||||
+ datatype: string
|
||||
|
||||
From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 10:40:47 +0200
|
||||
Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index 0902abf58db..b1b18261d48 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -110,7 +110,8 @@ selections:
|
||||
- package_gnutls-utils_installed
|
||||
|
||||
### Login
|
||||
- - sysctl_kernel_core_pattern
|
||||
+ - sysctl_kernel_core_pattern_empty_string
|
||||
+ - sysctl_kernel_core_uses_pid
|
||||
- service_systemd-coredump_disabled
|
||||
- var_authselect_profile=minimal
|
||||
- enable_authselect
|
||||
|
||||
From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 3 Aug 2022 13:01:12 +0200
|
||||
Subject: [PATCH 6/8] describe beneficial dependency between
|
||||
sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid
|
||||
|
||||
---
|
||||
.../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
index 7fa36fb940e..d6d2c468c10 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
|
||||
description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
|
||||
|
||||
rationale: |-
|
||||
- The default coredump filename is <pre>core</pre>. By setting
|
||||
- <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
|
||||
- <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
|
||||
- <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
|
||||
- <pre>.PID</pre> will be appended to the filename.
|
||||
+ The default coredump filename is <tt>core</tt>. By setting
|
||||
+ <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
|
||||
+ <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
|
||||
+ <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
|
||||
+ <tt>.PID</tt> will be appended to the filename.
|
||||
+ When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
|
||||
+ is ensured that no core dumps are generated and also no confusing error
|
||||
+ messages are printed by a shell.
|
||||
|
||||
severity: medium
|
||||
|
||||
|
||||
From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 10:53:37 +0200
|
||||
Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
|
||||
sysctl_kernel_core_pattern_empty_string
|
||||
|
||||
they are modifying the same configuration
|
||||
---
|
||||
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
index 771c4d40e0f..c27a9e7ecf3 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
@@ -13,6 +13,9 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+conflicts:
|
||||
+ - sysctl_kernel_core_pattern_empty_string
|
||||
+
|
||||
identifiers:
|
||||
cce@rhcos4: CCE-82527-3
|
||||
cce@rhel8: CCE-82215-5
|
||||
|
||||
From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 9 Aug 2022 16:43:20 +0200
|
||||
Subject: [PATCH 8/8] fix ocils
|
||||
|
||||
---
|
||||
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++-
|
||||
.../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++--
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
index c27a9e7ecf3..1a540ce20b3 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
@@ -29,7 +29,10 @@ references:
|
||||
stigid@ol8: OL08-00-010671
|
||||
stigid@rhel8: RHEL-08-010671
|
||||
|
||||
-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||
+ocil_clause: |-
|
||||
+ the returned line does not have a value of "|/bin/false", or a line is not
|
||||
+ returned and the need for core dumps is not documented with the Information
|
||||
+ System Security Officer (ISSO) as an operational requirement
|
||||
|
||||
ocil: |
|
||||
{{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
index d6d2c468c10..8f51f97c16c 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
|
||||
@@ -24,10 +24,10 @@ identifiers:
|
||||
references:
|
||||
ospp: FMT_SMF_EXT.1
|
||||
|
||||
-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
|
||||
+ocil_clause: 'the returned line does not have a value of 0'
|
||||
|
||||
ocil: |-
|
||||
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
|
||||
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
|
||||
|
||||
platform: machine
|
||||
|
@ -1,826 +0,0 @@
|
||||
From 796d3630621847b478896ee4a773cdb605821882 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 18 Aug 2022 13:06:49 +0200
|
||||
Subject: [PATCH 1/8] Create custom sysctl_kernel_core_pattern_empty_string
|
||||
content.
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 32 +++
|
||||
.../bash/shared.sh | 60 +++++
|
||||
.../oval/shared.xml | 221 ++++++++++++++++++
|
||||
.../rule.yml | 23 +-
|
||||
.../tests/correct_value.pass.sh | 10 +
|
||||
.../tests/wrong_value.fail.sh | 10 +
|
||||
.../tests/wrong_value_three_entries.fail.sh | 11 +
|
||||
.../tests/wrong_value_two_entries.fail.sh | 10 +
|
||||
products/rhel9/profiles/ospp.profile | 2 +-
|
||||
9 files changed, 366 insertions(+), 13 deletions(-)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
new file mode 100644
|
||||
index 00000000000..a6e7bf54b56
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
@@ -0,0 +1,32 @@
|
||||
+# platform = multi_platform_all
|
||||
+# reboot = true
|
||||
+# strategy = disable
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+- name: List /etc/sysctl.d/*.conf files
|
||||
+ find:
|
||||
+ paths:
|
||||
+ - /etc/sysctl.d/
|
||||
+ - /run/sysctl.d/
|
||||
+ contains: ^[\s]*kernel.core_pattern.*$
|
||||
+ patterns: '*.conf'
|
||||
+ file_type: any
|
||||
+ register: find_sysctl_d
|
||||
+- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
|
||||
+ files
|
||||
+ replace:
|
||||
+ path: '{{ item.path }}'
|
||||
+ regexp: ^[\s]*kernel.core_pattern
|
||||
+ replace: '#kernel.core_pattern'
|
||||
+ loop: '{{ find_sysctl_d.files }}'
|
||||
+- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||
+ replace:
|
||||
+ path: /etc/sysctl.conf
|
||||
+ regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||
+ replace: '#kernel.core_pattern'
|
||||
+- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||
+ sysctl:
|
||||
+ name: kernel.core_pattern
|
||||
+ value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces
|
||||
+ state: present
|
||||
+ reload: true
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||
new file mode 100644
|
||||
index 00000000000..989987250bc
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||
@@ -0,0 +1,60 @@
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
+# reboot = true
|
||||
+# strategy = disable
|
||||
+# complexity = low
|
||||
+# disruption = medium
|
||||
+# Remediation is applicable only in certain platforms
|
||||
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
|
||||
+
|
||||
+# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
|
||||
+
|
||||
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
|
||||
+
|
||||
+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
|
||||
+ if ! test -z "$matching_list"; then
|
||||
+ while IFS= read -r entry; do
|
||||
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
|
||||
+ # comment out "kernel.core_pattern" matches to preserve user data
|
||||
+ sed -i "s/^${escaped_entry}$/# &/g" $f
|
||||
+ done <<< "$matching_list"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+#
|
||||
+# Set runtime for kernel.core_pattern
|
||||
+#
|
||||
+/sbin/sysctl -q -n -w kernel.core_pattern=""
|
||||
+
|
||||
+#
|
||||
+# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty
|
||||
+# else, add "kernel.core_pattern =" to /etc/sysctl.conf
|
||||
+#
|
||||
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
|
||||
+# Otherwise, regular sed command will do.
|
||||
+sed_command=('sed' '-i')
|
||||
+if test -L "/etc/sysctl.conf"; then
|
||||
+ sed_command+=('--follow-symlinks')
|
||||
+fi
|
||||
+
|
||||
+# Strip any search characters in the key arg so that the key can be replaced without
|
||||
+# adding any search characters to the config file.
|
||||
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
|
||||
+
|
||||
+# shellcheck disable=SC2059
|
||||
+printf -v formatted_output "%s=" "$stripped_key"
|
||||
+
|
||||
+# If the key exists, change it. Otherwise, add it to the config_file.
|
||||
+# We search for the key string followed by a word boundary (matched by \>),
|
||||
+# so if we search for 'setting', 'setting2' won't match.
|
||||
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then
|
||||
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
|
||||
+ "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
|
||||
+else
|
||||
+ # \n is precaution for case where file ends without trailing newline
|
||||
+
|
||||
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
|
||||
+fi
|
||||
+
|
||||
+else
|
||||
+ >&2 echo 'Remediation is not applicable, nothing was done'
|
||||
+fi
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||
new file mode 100644
|
||||
index 00000000000..39654259dcb
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||
@@ -0,0 +1,221 @@
|
||||
+
|
||||
+
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string" version="3">
|
||||
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <extend_definition comment="kernel.core_pattern configuration setting check"
|
||||
+ definition_ref="sysctl_kernel_core_pattern_empty_string_static"/>
|
||||
+ <extend_definition comment="kernel.core_pattern runtime setting check"
|
||||
+ definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+</def-group><def-group>
|
||||
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
|
||||
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criterion comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+
|
||||
+ <unix:sysctl_test id="test_sysctl_kernel_core_pattern_empty_string_runtime" version="1"
|
||||
+ comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||
+ check="all" check_existence="all_exist" state_operator="OR">
|
||||
+ <unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||
+
|
||||
+ <unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||
+
|
||||
+ </unix:sysctl_test>
|
||||
+
|
||||
+ <unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||
+ <unix:name>kernel.core_pattern</unix:name>
|
||||
+ </unix:sysctl_object>
|
||||
+
|
||||
+
|
||||
+ <unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||
+
|
||||
+ <unix:value datatype="string"
|
||||
+ operation="equals"></unix:value>
|
||||
+
|
||||
+ </unix:sysctl_state>
|
||||
+
|
||||
+</def-group>
|
||||
+<def-group>
|
||||
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_static" version="3">
|
||||
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}}
|
||||
+ <criteria operator="AND">
|
||||
+ <criteria operator="OR">
|
||||
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.conf"
|
||||
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static"/>
|
||||
+ <!-- see sysctl.d(5) -->
|
||||
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.d/*.conf"
|
||||
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
|
||||
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
|
||||
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
|
||||
+
|
||||
+ </criteria>
|
||||
+
|
||||
+ <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||
+ </criteria>
|
||||
+ </definition>
|
||||
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="kernel.core_pattern static configuration" state_operator="OR">
|
||||
+ <ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
|
||||
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||
+
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
|
||||
+ comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
|
||||
+ <ind:object object_ref="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||
+
|
||||
+ </ind:textfilecontent54_test>
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld" version="1" check="all"
|
||||
+ comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR">
|
||||
+ <ind:object object_ref="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||
+
|
||||
+ </ind:textfilecontent54_test>
|
||||
+ <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern"
|
||||
+ id="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||
+ <ind:object object_ref="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||
+ <ind:state state_ref="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||
+ </ind:variable_test>
|
||||
+
|
||||
+ <ind:variable_object id="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||
+ <ind:var_ref>local_var_sysctl_kernel_core_pattern_empty_string_counter</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <ind:variable_state id="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||
+ <ind:value operation="equals" datatype="int">1</ind:value>
|
||||
+ </ind:variable_state>
|
||||
+
|
||||
+ <local_variable comment="Count unique sysctls" datatype="int" id="local_var_sysctl_kernel_core_pattern_empty_string_counter" version="1">
|
||||
+ <count>
|
||||
+ <unique>
|
||||
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" item_field="filepath" />
|
||||
+ </unique>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" version="1">
|
||||
+ <set>
|
||||
+ <object_reference>object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered</object_reference>
|
||||
+ <filter action="exclude">state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink</filter>
|
||||
+ </set>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_state id="state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink" version="1">
|
||||
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" datatype="string" />
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
+ <!-- <no symlink handling> -->
|
||||
+ <!-- We craft a variable with blank string to combine with the symlink paths found.
|
||||
+ This ultimately avoids referencing a variable with "no values",
|
||||
+ we reference a variable with a blank string -->
|
||||
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" version="1">
|
||||
+ <unique>
|
||||
+ <object_component object_ref="var_object_symlink_sysctl_kernel_core_pattern_empty_string" item_field="value" />
|
||||
+ </unique>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <ind:variable_object id="var_object_symlink_sysctl_kernel_core_pattern_empty_string" comment="combine the blank string with symlink paths found" version="1">
|
||||
+ <set>
|
||||
+ <object_reference>var_obj_symlink_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||
+ <object_reference>var_obj_blank_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||
+ </set>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <ind:variable_object id="var_obj_blank_sysctl_kernel_core_pattern_empty_string" comment="variable object of the blank string" version="1">
|
||||
+ <ind:var_ref>local_var_blank_path_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <literal_component datatype="string"></literal_component>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <ind:variable_object id="var_obj_symlink_sysctl_kernel_core_pattern_empty_string" comment="variable object of the symlinks found" version="1">
|
||||
+ <ind:var_ref>local_var_symlinks_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+ <!-- </no symlink handling> -->
|
||||
+
|
||||
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <unique>
|
||||
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_symlinks" item_field="filepath" />
|
||||
+ </unique>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
|
||||
+ Workaround by querying for all conf files found -->
|
||||
+ <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_sysctl_kernel_core_pattern_empty_string_symlinks" version="1">
|
||||
+ <unix:filepath operation="equals" var_ref="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" />
|
||||
+ <filter action="exclude">state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string</filter>
|
||||
+ </unix:symlink_object>
|
||||
+
|
||||
+ <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
|
||||
+ ^/etc/sysctl.conf$
|
||||
+ ^/etc/sysctl.d/.*$
|
||||
+ ^/run/sysctl.d/.*$
|
||||
+ ^/usr/lib/sysctl.d/.*$ -->
|
||||
+ <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
|
||||
+ </unix:symlink_state>
|
||||
+
|
||||
+
|
||||
+ <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
|
||||
+ variable to have no value even when there are valid objects. -->
|
||||
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" version="1">
|
||||
+ <set>
|
||||
+ <object_reference>object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||
+ <object_reference>object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||
+ </set>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <set>
|
||||
+ <object_reference>object_static_sysctl_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||
+ <object_reference>object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||
+ </set>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <set>
|
||||
+ <object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||
+
|
||||
+ </set>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_static_sysctl_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <ind:filepath>/etc/sysctl.conf</ind:filepath>
|
||||
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <ind:path>/etc/sysctl.d</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+ <ind:path>/run/sysctl.d</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
+ </ind:textfilecontent54_object>
|
||||
+ <ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
+
|
||||
+ <ind:subexpression operation="equals" datatype="string"></ind:subexpression>
|
||||
+
|
||||
+ </ind:textfilecontent54_state>
|
||||
+
|
||||
+</def-group>
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
index dc21f53c98c..2babb28e361 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
@@ -1,18 +1,18 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||
+prodtype: rhel9
|
||||
|
||||
title: 'Disable storing core dumps'
|
||||
|
||||
description: |-
|
||||
The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
|
||||
- name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
|
||||
+ name. It can be set to an empty string. In this case, the kernel
|
||||
behaves differently based on another related option. If
|
||||
<tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
|
||||
<tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
|
||||
created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
|
||||
<tt>0</tt>, no coredump is saved.
|
||||
- {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
|
||||
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="") }}}
|
||||
|
||||
rationale: |-
|
||||
A core dump includes a memory image taken at the time the operating system
|
||||
@@ -30,17 +30,16 @@ conflicts:
|
||||
identifiers:
|
||||
cce@rhel9: CCE-86005-6
|
||||
|
||||
+references:
|
||||
+ ospp: FMT_SMF_EXT.1
|
||||
+
|
||||
ocil_clause: |-
|
||||
- the returned line does not have a value of ''.
|
||||
+ the returned line does not have an empty string
|
||||
|
||||
ocil: |
|
||||
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
|
||||
+ The runtime status of the <code>kernel.core_pattern</code> kernel parameter can be queried
|
||||
+ by running the following command:
|
||||
+ <pre>$ sysctl kernel.core_pattern | cat -A</pre>
|
||||
+ <code>kernel.core_pattern = $</code>
|
||||
|
||||
platform: machine
|
||||
-
|
||||
-template:
|
||||
- name: sysctl
|
||||
- vars:
|
||||
- sysctlvar: kernel.core_pattern
|
||||
- sysctlval: "''"
|
||||
- datatype: string
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..71f0f5db142
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.core_pattern=""
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..1c5fabcc136
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.core_pattern="|/bin/false"
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..e56e927ec56
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||
@@ -0,0 +1,11 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.core_pattern=""
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..6c065b1e038
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.core_pattern=""
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index 9fdd1354e38..b1b18261d48 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -110,7 +110,7 @@ selections:
|
||||
- package_gnutls-utils_installed
|
||||
|
||||
### Login
|
||||
- - sysctl_kernel_core_pattern
|
||||
+ - sysctl_kernel_core_pattern_empty_string
|
||||
- sysctl_kernel_core_uses_pid
|
||||
- service_systemd-coredump_disabled
|
||||
- var_authselect_profile=minimal
|
||||
|
||||
From a77abaf442d411fe7bc59e94a1c0330163e03a16 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 11:13:04 +0200
|
||||
Subject: [PATCH 2/8] Make the conflicts attribute appblicable only to RHEL9.
|
||||
|
||||
The new rule empty is applicable only to RHEL9 and if there would not be
|
||||
the restriction, then dangling references would be produced.
|
||||
---
|
||||
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
index 1a540ce20b3..e369854060b 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||
@@ -13,8 +13,10 @@ rationale: |-
|
||||
|
||||
severity: medium
|
||||
|
||||
+{{% if product in ["rhel9"] %}}
|
||||
conflicts:
|
||||
- sysctl_kernel_core_pattern_empty_string
|
||||
+{{% endif %}}
|
||||
|
||||
identifiers:
|
||||
cce@rhcos4: CCE-82527-3
|
||||
|
||||
From ec71ac98b89cc8295324c90b1610a5ff01126895 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 11:16:41 +0200
|
||||
Subject: [PATCH 3/8] Switch bash remediation applicable to all products in
|
||||
sysctl_kernel_core_pattern_empty_string.
|
||||
|
||||
---
|
||||
.../sysctl_kernel_core_pattern_empty_string/bash/shared.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||
index 989987250bc..9e84d41056d 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
+# platform = multi_platform_all
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
|
||||
From bac544446d3c5a1d87a2b4934cbb94ebc00d2ce9 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 11:23:04 +0200
|
||||
Subject: [PATCH 4/8] Address feedback.
|
||||
|
||||
---
|
||||
.../ansible/shared.yml | 3 +++
|
||||
.../oval/shared.xml | 19 +++++--------------
|
||||
2 files changed, 8 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
index a6e7bf54b56..22a8d99dae8 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
@@ -12,6 +12,7 @@
|
||||
patterns: '*.conf'
|
||||
file_type: any
|
||||
register: find_sysctl_d
|
||||
+
|
||||
- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
|
||||
files
|
||||
replace:
|
||||
@@ -19,11 +20,13 @@
|
||||
regexp: ^[\s]*kernel.core_pattern
|
||||
replace: '#kernel.core_pattern'
|
||||
loop: '{{ find_sysctl_d.files }}'
|
||||
+
|
||||
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||
replace:
|
||||
path: /etc/sysctl.conf
|
||||
regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||
replace: '#kernel.core_pattern'
|
||||
+
|
||||
- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||
sysctl:
|
||||
name: kernel.core_pattern
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||
index 39654259dcb..1c3bbfd9a3e 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||
@@ -10,7 +10,9 @@
|
||||
definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||
</criteria>
|
||||
</definition>
|
||||
-</def-group><def-group>
|
||||
+</def-group>
|
||||
+
|
||||
+<def-group>
|
||||
<definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
|
||||
{{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
|
||||
<criteria operator="AND">
|
||||
@@ -23,21 +25,15 @@
|
||||
comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||
check="all" check_existence="all_exist" state_operator="OR">
|
||||
<unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||
-
|
||||
<unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||
-
|
||||
</unix:sysctl_test>
|
||||
|
||||
<unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||
<unix:name>kernel.core_pattern</unix:name>
|
||||
</unix:sysctl_object>
|
||||
|
||||
-
|
||||
<unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||
-
|
||||
- <unix:value datatype="string"
|
||||
- operation="equals"></unix:value>
|
||||
-
|
||||
+ <unix:value datatype="string" operation="equals"></unix:value>
|
||||
</unix:sysctl_state>
|
||||
|
||||
</def-group>
|
||||
@@ -53,18 +49,17 @@
|
||||
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
|
||||
<criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
|
||||
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
|
||||
-
|
||||
</criteria>
|
||||
|
||||
<criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||
</criteria>
|
||||
</definition>
|
||||
+
|
||||
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
comment="kernel.core_pattern static configuration" state_operator="OR">
|
||||
<ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
|
||||
<ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||
-
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
|
||||
@@ -165,7 +160,6 @@
|
||||
<unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
|
||||
</unix:symlink_state>
|
||||
|
||||
-
|
||||
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
<object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
|
||||
</local_variable>
|
||||
@@ -189,7 +183,6 @@
|
||||
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
<set>
|
||||
<object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||
-
|
||||
</set>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
@@ -213,9 +206,7 @@
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
<ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||
-
|
||||
<ind:subexpression operation="equals" datatype="string"></ind:subexpression>
|
||||
-
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
</def-group>
|
||||
|
||||
From 39bb8e75c95c469a4f6428664f24f7f9688ffa87 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 14:46:15 +0200
|
||||
Subject: [PATCH 5/8] Fix test parse affected to support OVAL with multiple
|
||||
def-group tags.
|
||||
|
||||
---
|
||||
tests/test_parse_affected.py | 26 ++++++++++++++++----------
|
||||
1 file changed, 16 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
|
||||
index 8407794b972..947b56636c0 100755
|
||||
--- a/tests/test_parse_affected.py
|
||||
+++ b/tests/test_parse_affected.py
|
||||
@@ -3,6 +3,7 @@
|
||||
from __future__ import print_function
|
||||
|
||||
import os
|
||||
+import re
|
||||
import sys
|
||||
|
||||
import ssg.constants
|
||||
@@ -73,19 +74,24 @@ def parse_affected(cur_dir, env_yaml):
|
||||
if not xml_content:
|
||||
continue
|
||||
|
||||
- oval_contents = ssg.utils.split_string_content(xml_content)
|
||||
+ # split multiple def group into a list so multiple definitions in one OVAL also work
|
||||
+ # this findall does not preserv the <def-group> tag but it's not necessary for the
|
||||
+ # purpose of the test
|
||||
+ xml_content_list = re.findall(r'<def-group>(.+?)</def-group>', xml_content, re.DOTALL)
|
||||
+ for item in xml_content_list:
|
||||
+ oval_contents = ssg.utils.split_string_content(item)
|
||||
|
||||
- try:
|
||||
- results = ssg.oval.parse_affected(oval_contents)
|
||||
+ try:
|
||||
+ results = ssg.oval.parse_affected(oval_contents)
|
||||
|
||||
- assert len(results) == 3
|
||||
- assert isinstance(results[0], int)
|
||||
- assert isinstance(results[1], int)
|
||||
+ assert len(results) == 3
|
||||
+ assert isinstance(results[0], int)
|
||||
+ assert isinstance(results[1], int)
|
||||
|
||||
- except ValueError as e:
|
||||
- print("No <affected> element found in file {}. "
|
||||
- " Parsed XML was:\n{}".format(oval, xml_content))
|
||||
- raise e
|
||||
+ except ValueError as e:
|
||||
+ print("No <affected> element found in file {}. "
|
||||
+ " Parsed XML was:\n{}".format(oval, item))
|
||||
+ raise e
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
From 8d6176c1f96f983aaa0134d19cc66fd3c7b29e15 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 15:14:57 +0200
|
||||
Subject: [PATCH 6/8] Fix ansible remediation to preserve old non compliant
|
||||
values.
|
||||
|
||||
Comment out any offending line.
|
||||
---
|
||||
.../ansible/shared.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
index 22a8d99dae8..f4dc5110fee 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||
@@ -24,8 +24,8 @@
|
||||
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||
replace:
|
||||
path: /etc/sysctl.conf
|
||||
- regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||
- replace: '#kernel.core_pattern'
|
||||
+ regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)'
|
||||
+ replace: '#kernel.core_pattern\1'
|
||||
|
||||
- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||
sysctl:
|
||||
|
||||
From c5bcea37000f54f3273d529237e02fe0979e6d6d Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 15:20:41 +0200
|
||||
Subject: [PATCH 7/8] Fix PEP8 issue.
|
||||
|
||||
---
|
||||
tests/test_parse_affected.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
|
||||
index 947b56636c0..53690df5ce1 100755
|
||||
--- a/tests/test_parse_affected.py
|
||||
+++ b/tests/test_parse_affected.py
|
||||
@@ -90,7 +90,7 @@ def parse_affected(cur_dir, env_yaml):
|
||||
|
||||
except ValueError as e:
|
||||
print("No <affected> element found in file {}. "
|
||||
- " Parsed XML was:\n{}".format(oval, item))
|
||||
+ " Parsed XML was:\n{}".format(oval, item))
|
||||
raise e
|
||||
|
||||
|
||||
|
||||
From 243347ad56fcd4f83f0b77e9b3b7fcd98d0d4acb Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 16:31:31 +0200
|
||||
Subject: [PATCH 8/8] Add more test scenarios for
|
||||
sysctl_kernel_core_pattern_empty_string.
|
||||
|
||||
---
|
||||
.../tests/correct_value_with_spaces.pass.sh | 10 ++++++++++
|
||||
.../tests/wrong_value_d_directory.fail.sh | 9 +++++++++
|
||||
.../tests/wrong_value_runtime.fail.sh | 10 ++++++++++
|
||||
3 files changed, 29 insertions(+)
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||
new file mode 100644
|
||||
index 00000000000..b6688e6ca91
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern= " >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.core_pattern=""
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..6c574b92762
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||
@@ -0,0 +1,9 @@
|
||||
+#!/bin/bash
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.core_pattern=""
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||
new file mode 100644
|
||||
index 00000000000..8c729677b86
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||
@@ -0,0 +1,10 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Clean sysctl config directories
|
||||
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||
+
|
||||
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||
+
|
||||
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||
+sysctl -w kernel.core_pattern="|/bin/false"
|
@ -1,47 +0,0 @@
|
||||
From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Wed, 20 Jul 2022 14:18:13 +0200
|
||||
Subject: [PATCH] change remediations to include the "=" sign
|
||||
|
||||
---
|
||||
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
|
||||
.../crypto/configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
index c335a9e7fa2..852ca18cf79 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
||||
@@ -20,7 +20,7 @@
|
||||
lineinfile:
|
||||
create: yes
|
||||
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
|
||||
- line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||
+ line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||
path: {{{ openssl_cnf_path }}}
|
||||
when:
|
||||
- test_crypto_policy_group.stdout is defined
|
||||
@@ -29,7 +29,7 @@
|
||||
- name: "Add crypto_policy group and set include opensslcnf.config"
|
||||
lineinfile:
|
||||
create: yes
|
||||
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||
+ line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config"
|
||||
path: {{{ openssl_cnf_path }}}
|
||||
when:
|
||||
- test_crypto_policy_group.stdout is defined
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||
index 21edb780a2f..79eb5cff189 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
|
||||
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
|
||||
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
|
||||
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
|
||||
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
|
||||
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
|
||||
|
||||
{{% if 'sle' in product %}}
|
||||
{{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}}
|
@ -1,29 +0,0 @@
|
||||
From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Thu, 28 Jul 2022 15:08:15 +0200
|
||||
Subject: [PATCH] Remove a confusing sentence
|
||||
|
||||
In the rule description, there are 2 conflicting sentences, they
|
||||
both start by "By default ...", but they negate each other.
|
||||
In fact, the second of them is true, so the first one could be
|
||||
removed.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799
|
||||
---
|
||||
.../accounts-physical/require_singleuser_auth/rule.yml | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||
index 932d76c36d9..332712ea1dd 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
||||
@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode'
|
||||
description: |-
|
||||
Single-user mode is intended as a system recovery
|
||||
method, providing a single user root access to the system by
|
||||
- providing a boot option at startup. By default, no authentication
|
||||
- is performed if single-user mode is selected.
|
||||
+ providing a boot option at startup.
|
||||
<br /><br />
|
||||
By default, single-user mode is protected by requiring a password and is set
|
||||
in <tt>/usr/lib/systemd/system/rescue.service</tt>.
|
@ -1,48 +0,0 @@
|
||||
From d76e93e697755e63d5c833747adef4af23c3256b Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 22 Aug 2022 13:51:28 +0200
|
||||
Subject: [PATCH 1/2] switch sysctl_kernel_core_pattern_empty_string for
|
||||
sysctl_kernel_core_pattern
|
||||
|
||||
---
|
||||
products/rhel9/profiles/ospp.profile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||
index b1b18261d48..9fdd1354e38 100644
|
||||
--- a/products/rhel9/profiles/ospp.profile
|
||||
+++ b/products/rhel9/profiles/ospp.profile
|
||||
@@ -110,7 +110,7 @@ selections:
|
||||
- package_gnutls-utils_installed
|
||||
|
||||
### Login
|
||||
- - sysctl_kernel_core_pattern_empty_string
|
||||
+ - sysctl_kernel_core_pattern
|
||||
- sysctl_kernel_core_uses_pid
|
||||
- service_systemd-coredump_disabled
|
||||
- var_authselect_profile=minimal
|
||||
|
||||
From d304b9f0037bfac6e20b1365e0d320f714ce09a3 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Mon, 22 Aug 2022 13:51:55 +0200
|
||||
Subject: [PATCH 2/2] remove ospp reference from
|
||||
sysctl_kernel_core_pattern_empty_string
|
||||
|
||||
---
|
||||
.../sysctl_kernel_core_pattern_empty_string/rule.yml | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
index 089bb1481aa..dc21f53c98c 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||
@@ -30,9 +30,6 @@ conflicts:
|
||||
identifiers:
|
||||
cce@rhel9: CCE-86005-6
|
||||
|
||||
-references:
|
||||
- ospp: FMT_SMF_EXT.1
|
||||
-
|
||||
ocil_clause: |-
|
||||
the returned line does not have a value of ''.
|
||||
|
@ -1,60 +0,0 @@
|
||||
From be2aba89ab61767fd301ee1ac4f4e64bf5a66887 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 11 Aug 2022 16:53:48 +0200
|
||||
Subject: [PATCH] add 4 rules back to RHEL9 datastream
|
||||
|
||||
---
|
||||
.../services/kerberos/package_krb5-server_removed/rule.yml | 2 +-
|
||||
.../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +-
|
||||
.../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +-
|
||||
.../system-tools/package_krb5-workstation_removed/rule.yml | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
|
||||
index 78577046409..17d742d9692 100644
|
||||
--- a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Remove the Kerberos Server Package'
|
||||
|
||||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
index d8a3910ff4d..9be95ffed5c 100644
|
||||
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Remove NIS Client'
|
||||
|
||||
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
index ee7ccb2d8da..0f7ad7c0431 100644
|
||||
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Uninstall ypserv Package'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
index 7a02459825d..4750fd6b266 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8
|
||||
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Uninstall krb5-workstation Package'
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,106 @@
|
||||
From a8cea205d5f9f975ca03ef39e79d18698236cfe2 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 13 Feb 2023 17:49:14 +0100
|
||||
Subject: [PATCH 3/5] Change custom zones check in firewalld_sshd_port_enabled
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
||||
Patch-status: Change custom zones check in firewalld_sshd_port_enabled
|
||||
---
|
||||
.../oval/shared.xml | 68 +++++++++++++++----
|
||||
1 file changed, 54 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
index 4adef2e53f..d7c96665b4 100644
|
||||
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
|
||||
@@ -133,9 +133,10 @@
|
||||
OVAL resources in order to detect and assess only active zone, which are zones with at
|
||||
least one NIC assigned to it. Since it was possible to easily have the list of active
|
||||
zones, it was cumbersome to use that list in other OVAL objects without introduce a high
|
||||
- level of complexity to make sure environments with multiple NICs and multiple zones are
|
||||
- in use. So, in favor of simplicity and readbility it was decided to work with a static
|
||||
- list. It means that, in the future, it is possible this list needs to be updated. -->
|
||||
+ level of complexity to ensure proper assessment in environments where multiple NICs and
|
||||
+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to
|
||||
+ work with a static list. It means that, in the future, it is possible this list needs to
|
||||
+ be updated. -->
|
||||
<local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
|
||||
datatype="string"
|
||||
comment="Regex containing the list of zones files delivered in the firewalld package">
|
||||
@@ -145,23 +146,62 @@
|
||||
<!-- If any default zone is modified by the administrator, the respective zone file is placed
|
||||
in the /etc/firewalld/zones dir in order to override the default zone settings. The same
|
||||
directory is applicable for new zones created by the administrator. Therefore, all files
|
||||
- in this directory should also allow SSH. -->
|
||||
- <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
||||
+ in this directory should also allow SSH.
|
||||
+ This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
|
||||
+ which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
|
||||
+ variable test is the simplest way to check if all custom zones are allowing ssh, but have
|
||||
+ an impact in transparency since the objects are not shown in reports. The transparency
|
||||
+ impact can be workarounded by using other OVAL objects, but this would impact in
|
||||
+ readability and would increase complexity. This solution is in favor of simplicity. -->
|
||||
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
|
||||
check="all" check_existence="at_least_one_exists" version="1"
|
||||
comment="SSH service is defined in all zones created or modified by the administrator">
|
||||
- <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
- <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
- </ind:xmlfilecontent_test>
|
||||
+ <ind:object
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
|
||||
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
||||
+ </ind:variable_test>
|
||||
+
|
||||
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
||||
+ version="1">
|
||||
+ <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
|
||||
+ </ind:variable_object>
|
||||
+
|
||||
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
|
||||
+ datatype="int" version="1"
|
||||
+ comment="Variable including number of custom zone files allowing ssh">
|
||||
+ <count>
|
||||
+ <object_component item_field="filepath"
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
|
||||
<ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
||||
- <ind:path>/etc/firewalld/zones</ind:path>
|
||||
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
||||
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
+ <ind:path>/etc/firewalld/zones</ind:path>
|
||||
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
|
||||
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
</ind:xmlfilecontent_object>
|
||||
|
||||
- <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
|
||||
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
|
||||
- </ind:xmlfilecontent_state>
|
||||
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
|
||||
+ version="1">
|
||||
+ <ind:value datatype="int" operation="equals" var_check="at least one"
|
||||
+ var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
|
||||
+ </ind:variable_state>
|
||||
+
|
||||
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
|
||||
+ datatype="int" version="1"
|
||||
+ comment="Variable including number of custom zone files present in /etc/firewalld/zones">
|
||||
+ <count>
|
||||
+ <object_component item_field="filepath"
|
||||
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
|
||||
+ </count>
|
||||
+ </local_variable>
|
||||
+
|
||||
+ <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
|
||||
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
|
||||
+ recurse_file_system="local"/>
|
||||
+ <unix:path>/etc/firewalld/zones</unix:path>
|
||||
+ <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
|
||||
+ </unix:file_object>
|
||||
|
||||
<!-- SSH service is configured as expected -->
|
||||
<!-- The firewalld package brings many services already defined out-of-box, including SSH.
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,122 @@
|
||||
From 25216f8eb9caa6e783322158967b689e8bd784e7 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 13 Feb 2023 17:49:14 +0100
|
||||
Subject: [PATCH 4/5] Accept required and requisite control flag for
|
||||
pam_pwhistory
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
||||
Patch-status: Accept required and requisite control flag for pam_pwhistory
|
||||
---
|
||||
controls/cis_rhel8.yml | 2 +-
|
||||
controls/cis_rhel9.yml | 2 +-
|
||||
controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml | 2 +-
|
||||
.../rule.yml | 4 ++++
|
||||
.../var_password_pam_remember_control_flag.var | 1 +
|
||||
products/rhel8/profiles/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig.profile | 2 +-
|
||||
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
||||
8 files changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
||||
index c0406f97b8..efc53d03fd 100644
|
||||
--- a/controls/cis_rhel8.yml
|
||||
+++ b/controls/cis_rhel8.yml
|
||||
@@ -2267,7 +2267,7 @@ controls:
|
||||
rules:
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_password_pam_remember=5
|
||||
|
||||
- id: 5.5.4
|
||||
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
|
||||
index 7299a39528..30f7e8d182 100644
|
||||
--- a/controls/cis_rhel9.yml
|
||||
+++ b/controls/cis_rhel9.yml
|
||||
@@ -2112,7 +2112,7 @@ controls:
|
||||
rules:
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_password_pam_remember=5
|
||||
|
||||
- id: 5.5.4
|
||||
diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
index 1e8286a4a4..b02b7da419 100644
|
||||
--- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
+++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
|
||||
@@ -5,7 +5,7 @@ controls:
|
||||
title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
|
||||
rules:
|
||||
- var_password_pam_remember=5
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- accounts_password_pam_pwhistory_remember_password_auth
|
||||
- accounts_password_pam_pwhistory_remember_system_auth
|
||||
status: automated
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
index c549de2e96..d2b220ef9f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
|
||||
@@ -129,3 +129,7 @@ warnings:
|
||||
Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
|
||||
enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
|
||||
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
|
||||
+ If a custom profile was created and used in the system before this authselect feature was
|
||||
+ available, the new feature can't be used with this custom profile and the
|
||||
+ remediation will fail. In this case, the custom profile should be recreated or manually
|
||||
+ updated.
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
index 8f01007550..1959936c04 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
|
||||
@@ -20,4 +20,5 @@ options:
|
||||
"sufficient": "sufficient"
|
||||
"binding": "binding"
|
||||
"ol8": "required,requisite"
|
||||
+ "requisite_or_required": "requisite,required"
|
||||
default: "requisite"
|
||||
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||
index 8c64868619..a3f7dc9720 100644
|
||||
--- a/products/rhel8/profiles/stig.profile
|
||||
+++ b/products/rhel8/profiles/stig.profile
|
||||
@@ -37,7 +37,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
- - var_password_pam_remember_control_flag=requisite
|
||||
+ - var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||
index 6970a32b4f..5d694c6ae1 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||
@@ -433,7 +433,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
-- var_password_pam_remember_control_flag=requisite
|
||||
+- var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
index 314f14e4f6..e165525b90 100644
|
||||
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||
@@ -441,7 +441,7 @@ selections:
|
||||
- var_accounts_minimum_age_login_defs=1
|
||||
- var_accounts_max_concurrent_login_sessions=10
|
||||
- var_password_pam_remember=5
|
||||
-- var_password_pam_remember_control_flag=requisite
|
||||
+- var_password_pam_remember_control_flag=requisite_or_required
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- var_password_pam_unix_rounds=5000
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,147 @@
|
||||
From 2bfdf9fa7e8309b079e657460671818e77b9a233 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 13 Feb 2023 17:49:15 +0100
|
||||
Subject: [PATCH 5/5] remove rule logind_session_timeout and associated
|
||||
variable from profiles
|
||||
|
||||
Patch-name: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
|
||||
Patch-status: remove rule logind_session_timeout and associated variable from profiles
|
||||
---
|
||||
controls/anssi.yml | 2 --
|
||||
products/rhel8/profiles/cjis.profile | 2 --
|
||||
products/rhel8/profiles/ospp.profile | 2 --
|
||||
products/rhel8/profiles/pci-dss.profile | 2 --
|
||||
products/rhel8/profiles/rht-ccp.profile | 2 --
|
||||
tests/data/profile_stability/rhel8/ospp.profile | 2 --
|
||||
tests/data/profile_stability/rhel8/pci-dss.profile | 2 --
|
||||
7 files changed, 14 deletions(-)
|
||||
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index 607ce976ef..9e631d1de4 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -676,8 +676,6 @@ controls:
|
||||
- var_accounts_tmout=10_min
|
||||
- sshd_set_idle_timeout
|
||||
- sshd_idle_timeout_value=10_minutes
|
||||
- - logind_session_timeout
|
||||
- - var_logind_session_timeout=10_minutes
|
||||
- sshd_set_keepalive
|
||||
|
||||
- id: R30
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index 22ae5aac72..30843b692e 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -104,7 +104,6 @@ selections:
|
||||
- sshd_allow_only_protocol2
|
||||
- sshd_set_idle_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- - logind_session_timeout
|
||||
- sshd_set_keepalive_0
|
||||
- disable_host_auth
|
||||
- sshd_disable_root_login
|
||||
@@ -120,7 +119,6 @@ selections:
|
||||
- set_firewalld_default_zone
|
||||
- firewalld_sshd_port_enabled
|
||||
- sshd_idle_timeout_value=30_minutes
|
||||
- - var_logind_session_timeout=30_minutes
|
||||
- inactivity_timeout_value=30_minutes
|
||||
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||
- sysctl_net_ipv4_tcp_syncookies
|
||||
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||
index 0fe17b2085..fb46ab4c0c 100644
|
||||
--- a/products/rhel8/profiles/ospp.profile
|
||||
+++ b/products/rhel8/profiles/ospp.profile
|
||||
@@ -300,8 +300,6 @@ selections:
|
||||
## We deliberately set sshd timeout to 1 minute before tmux lock timeout
|
||||
- sshd_idle_timeout_value=14_minutes
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- - var_logind_session_timeout=14_minutes
|
||||
|
||||
## Disable Unauthenticated Login (such as Guest Accounts)
|
||||
## FIA_UAU.1
|
||||
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
|
||||
index c63c5f4a07..c0c9b12773 100644
|
||||
--- a/products/rhel8/profiles/pci-dss.profile
|
||||
+++ b/products/rhel8/profiles/pci-dss.profile
|
||||
@@ -17,7 +17,6 @@ selections:
|
||||
- var_accounts_passwords_pam_faillock_deny=6
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=1800
|
||||
- sshd_idle_timeout_value=15_minutes
|
||||
- - var_logind_session_timeout=15_minutes
|
||||
- var_password_pam_minlen=7
|
||||
- var_password_pam_minclass=2
|
||||
- var_accounts_maximum_age_login_defs=90
|
||||
@@ -110,7 +109,6 @@ selections:
|
||||
- dconf_gnome_screensaver_lock_enabled
|
||||
- dconf_gnome_screensaver_mode_blank
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- sshd_set_keepalive_0
|
||||
- accounts_password_pam_minlen
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index 6856951bff..01133a9bde 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -12,7 +12,6 @@ selections:
|
||||
- var_selinux_state=enforcing
|
||||
- var_selinux_policy_name=targeted
|
||||
- sshd_idle_timeout_value=5_minutes
|
||||
- - var_logind_session_timeout=5_minutes
|
||||
- var_accounts_minimum_age_login_defs=7
|
||||
- var_accounts_passwords_pam_faillock_deny=5
|
||||
- var_accounts_password_warn_age_login_defs=7
|
||||
@@ -89,7 +88,6 @@ selections:
|
||||
- package_telnet_removed
|
||||
- sshd_allow_only_protocol2
|
||||
- sshd_set_idle_timeout
|
||||
- - logind_session_timeout
|
||||
- var_sshd_set_keepalive=0
|
||||
- sshd_set_keepalive_0
|
||||
- disable_host_auth
|
||||
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
index a31f3245d8..267b66a4f8 100644
|
||||
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||
@@ -104,7 +104,6 @@ selections:
|
||||
- kernel_module_firewire-core_disabled
|
||||
- kernel_module_sctp_disabled
|
||||
- kernel_module_tipc_disabled
|
||||
-- logind_session_timeout
|
||||
- mount_option_boot_nodev
|
||||
- mount_option_boot_nosuid
|
||||
- mount_option_dev_shm_nodev
|
||||
@@ -254,7 +253,6 @@ selections:
|
||||
- var_password_pam_ucredit=1
|
||||
- var_password_pam_lcredit=1
|
||||
- sshd_idle_timeout_value=14_minutes
|
||||
-- var_logind_session_timeout=14_minutes
|
||||
- var_accounts_passwords_pam_faillock_deny=3
|
||||
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=never
|
||||
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
index 5c77ea6a85..902d0084fc 100644
|
||||
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
|
||||
@@ -109,7 +109,6 @@ selections:
|
||||
- gid_passwd_group_same
|
||||
- grub2_audit_argument
|
||||
- install_hids
|
||||
-- logind_session_timeout
|
||||
- no_empty_passwords
|
||||
- package_aide_installed
|
||||
- package_audispd-plugins_installed
|
||||
@@ -137,7 +136,6 @@ selections:
|
||||
- var_accounts_passwords_pam_faillock_deny=6
|
||||
- var_accounts_passwords_pam_faillock_unlock_time=1800
|
||||
- sshd_idle_timeout_value=15_minutes
|
||||
-- var_logind_session_timeout=15_minutes
|
||||
- var_password_pam_minlen=7
|
||||
- var_password_pam_minclass=2
|
||||
- var_accounts_maximum_age_login_defs=90
|
||||
--
|
||||
2.39.1
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -5,24 +5,24 @@
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.63
|
||||
Release: 5%{?dist}
|
||||
Version: 0.1.66
|
||||
Release: 1%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Rsyslog files rules remediations
|
||||
Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
|
||||
# Extends rsyslog_logfiles_attributes_modify template for permissions
|
||||
Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
|
||||
# Change custom zones check in firewalld_sshd_port_enabled
|
||||
Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
|
||||
# Accept required and requisite control flag for pam_pwhistory
|
||||
Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
|
||||
# remove rule logind_session_timeout and associated variable from profiles
|
||||
Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
|
||||
BuildArch: noarch
|
||||
|
||||
Patch0: scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
|
||||
Patch1: scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
|
||||
Patch2: scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
|
||||
Patch3: scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
|
||||
Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
|
||||
Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
|
||||
Patch6: scap-security-guide-0.1.64-readd_rules-PR_9334.patch
|
||||
Patch7: scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
|
||||
Patch8: scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
@ -108,6 +108,14 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
|
||||
- Rebase to a new upstream release 0.1.66 (RHBZ#2169443)
|
||||
- Fix remediation of audit watch rules (RHBZ#2169441)
|
||||
- Fix check firewalld_sshd_port_enabled (RHBZ#2169443)
|
||||
- Fix accepted control flags for pam_pwhistory (RHBZ#2169443)
|
||||
- Unselect rule logind_session_timeout (RHBZ#2169443)
|
||||
- Add support rainer scripts in rsyslog rules (RHBZ#2169445)
|
||||
|
||||
* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
|
||||
- OSPP: fix rule related to coredump (RHBZ#2081688)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user