From 7b3a89c2e434aec811f0202562f488d5b50ead3f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Feb 2023 07:54:53 +0000 Subject: [PATCH] import scap-security-guide-0.1.66-1.el9_1 --- .gitignore | 2 +- .scap-security-guide.metadata | 2 +- ...1.64-audit_rules_for_ppc64le-PR_9124.patch | 2093 ----------- ...-authselect_minimal_for_ospp-PR_9298.patch | 90 - ...1.64-coredump_rules_for_ospp-PR_9285.patch | 302 -- ...ix_core_pattern_empty_string-PR_9396.patch | 826 ----- ...ssl_cryptopolicy_remediation-PR_9194.patch | 47 - ...uire_single_user_description-PR_9256.patch | 29 - ...ernel_core_pattern_bin_false-PR_9384.patch | 48 - ...ity-guide-0.1.64-readd_rules-PR_9334.patch | 60 - ...late_extension_and_bpf_rules-PR_9147.patch | 1888 ---------- ...lld_sshd_port_enabled_tests-PR_10162.patch | 106 + ...de-0.1.67-pwhistory_control-PR_10175.patch | 122 + ...ssion_timeout_from_profiles-PR_10202.patch | 147 + ..._files_permissions_template-PR_10139.patch | 3148 +++++++++++++++++ ...log_files_rules_remediations-PR_9789.patch | 1950 ++++++++++ SPECS/scap-security-guide.spec | 32 +- 17 files changed, 5495 insertions(+), 5397 deletions(-) delete mode 100644 SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch delete mode 100644 SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch delete mode 100644 SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch delete mode 100644 SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch delete mode 100644 SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch delete mode 100644 SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch delete mode 100644 SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch delete mode 100644 SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch delete mode 100644 SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch create mode 100644 SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch create mode 100644 SOURCES/scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch create mode 100644 SOURCES/scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch create mode 100644 SOURCES/scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch create mode 100644 SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch diff --git a/.gitignore b/.gitignore index 17ac62d..fdc5616 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.63.tar.bz2 +SOURCES/scap-security-guide-0.1.66.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 1bcd25e..36621a0 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2 +fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch b/SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch deleted file mode 100644 index 9970f6d..0000000 --- a/SOURCES/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch +++ /dev/null @@ -1,2093 +0,0 @@ -From 1f53aae9b711466ce3d8f5d72d544c16024b6f7f Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 13:21:36 +0200 -Subject: [PATCH 01/18] add ppc64le applicability platform - ---- - shared/applicability/arch.yml | 6 ++++ - ...proc_sys_kernel_osrelease_arch_ppc64le.xml | 33 +++++++++++++++++++ - 2 files changed, 39 insertions(+) - create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml - -diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml -index cb64a037192..1223001846a 100644 ---- a/shared/applicability/arch.yml -+++ b/shared/applicability/arch.yml -@@ -28,3 +28,9 @@ cpes: - bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease' - ansible_conditional: 'ansible_architecture == "aarch64"' - -+ - ppc64le_arch: -+ name: "cpe:/a:ppc64le_arch" -+ title: "System architecture is ppc64le" -+ check_id: proc_sys_kernel_osrelease_arch_ppc64le -+ bash_conditional: 'grep -q ppc64le /proc/sys/kernel/osrelease' -+ ansible_conditional: 'ansible_architecture == "ppc64le"' -diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml -new file mode 100644 -index 00000000000..058de0db5e7 ---- /dev/null -+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml -@@ -0,0 +1,33 @@ -+ -+ -+ -+ Test that the architecture is ppc64le -+ -+ multi_platform_all -+ -+ Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /proc/sys/kernel/osrelease -+ ^.*\.(.*)$ -+ 1 -+ -+ -+ -+ ^ppc64le$ -+ -+ - -From ced2b8699637af0f75786bd07f2944a6febaa531 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 13:46:47 +0200 -Subject: [PATCH 02/18] add audit_access_failed_ppc64le - ---- - .../policy_rules/audit_access_failed/rule.yml | 2 +- - .../kubernetes/shared.yml | 15 ++++++ - .../audit_access_failed_ppc64le/rule.yml | 54 +++++++++++++++++++ - 3 files changed, 70 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -index 87fc33ad041..74f92b94762 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml -@@ -28,7 +28,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..412c67f15a1 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,15 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+apiVersion: machineconfiguration.openshift.io/v1 -+kind: MachineConfig -+spec: -+ config: -+ ignition: -+ version: 3.1.0 -+ storage: -+ files: -+ - contents: -+ source: data:,%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A -+ mode: 0600 -+ path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules -+ overwrite: true -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -new file mode 100644 -index 00000000000..f764da506e9 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -@@ -0,0 +1,54 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of unsuccessful file accesses (ppc64le)' -+ -+{{% set file_contents_audit_access_failed = -+"## Unsuccessful file access (any other opens) This has to go last. -+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to access a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_access_failed|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85953-8 -+ cce@rhel9: CCE-85955-3 -+ -+references: -+ ism: 0582,0584,05885,0586,0846,0957 -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_access_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules -+ contents: |- -+ {{{ file_contents_audit_access_failed|indent(12) }}} - -From 6c9b276ce50932934afa4e1af38ee5cd88166580 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 13:56:29 +0200 -Subject: [PATCH 03/18] add audit_access_success ppc64le - ---- - .../audit_access_success/rule.yml | 2 +- - .../kubernetes/shared.yml | 15 ++++++ - .../audit_access_success_ppc64le/rule.yml | 54 +++++++++++++++++++ - 3 files changed, 70 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -index 284ed1756ff..7646d5f9f4b 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml -@@ -27,7 +27,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..372b7c27c76 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,15 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+apiVersion: machineconfiguration.openshift.io/v1 -+kind: MachineConfig -+spec: -+ config: -+ ignition: -+ version: 3.1.0 -+ storage: -+ files: -+ - contents: -+ source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A -+ mode: 0600 -+ path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules -+ overwrite: true -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -new file mode 100644 -index 00000000000..b76fe0b4a4e ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -@@ -0,0 +1,54 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of successful file accesses (ppc64le)' -+ -+{{% set file_contents_audit_access_success = -+"## Successful file access (any other opens) This has to go last. -+## These next two are likely to result in a whole lot of events -+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}} -+ -+description: |- -+ Ensure that successful attempts to access a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_access_success|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Auditing of successful attempts to access a file helps in investigation of activities performed on the system. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85960-3 -+ cce@rhel9: CCE-85961-1 -+ -+references: -+ ism: 0582,0584,05885,0586,0846,0957 -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_access_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules -+ contents: |- -+ {{{ file_contents_audit_access_success|indent(12) }}} - -From 7a343648d9e206a1b981f4235daeb9dd3cd475dc Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 14:01:03 +0200 -Subject: [PATCH 04/18] add audit_create_failed ppc64le - ---- - .../policy_rules/audit_create_failed/rule.yml | 2 +- - .../kubernetes/shared.yml | 15 +++++ - .../audit_create_failed_ppc64le/rule.yml | 57 +++++++++++++++++++ - 3 files changed, 73 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -index f4da514e080..ac5e1f97413 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml -@@ -36,7 +36,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..08c8dc85507 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,15 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora -+apiVersion: machineconfiguration.openshift.io/v1 -+kind: MachineConfig -+spec: -+ config: -+ ignition: -+ version: 3.1.0 -+ storage: -+ files: -+ - contents: -+ source: data:,%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A -+ mode: 0600 -+ path: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules -+ overwrite: true -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -new file mode 100644 -index 00000000000..ead598f8b9a ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -@@ -0,0 +1,57 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of unsuccessful file creations (ppc64le)' -+ -+{{% set file_contents_audit_create_failed = -+"## Unsuccessful file creation (open with O_CREAT) -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to create a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_create_failed|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85962-9 -+ cce@rhel9: CCE-85965-2 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_create_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules -+ contents: |- -+ {{{ file_contents_audit_create_failed|indent(12) }}} - -From c433196a29cfcf5b3dca2f3cde7dc230f43a181e Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 14:03:38 +0200 -Subject: [PATCH 05/18] add audit_create_success ppc64le - ---- - .../audit_create_success/rule.yml | 2 +- - .../audit_create_success_ppc64le/rule.yml | 54 +++++++++++++++++++ - 2 files changed, 55 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -index 43e8674178b..21e71077030 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml -@@ -30,7 +30,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -new file mode 100644 -index 00000000000..294947c14ba ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml -@@ -0,0 +1,54 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of successful file creations (ppc64le)' -+ -+{{% set file_contents_audit_create_success = -+"## Successful file creation (open with O_CREAT) -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create" %}} -+ -+description: |- -+ Ensure that successful attempts to create a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_create_success |indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85966-0 -+ cce@rhel9: CCE-85968-6 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_create_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules -+ contents: |- -+ {{{ file_contents_audit_create_success|indent(12) }}} - -From d8593e7d56ed85f34f228b24526b703eed141071 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 14:07:50 +0200 -Subject: [PATCH 06/18] add audit_delete_failed ppc64le - ---- - .../policy_rules/audit_delete_failed/rule.yml | 2 +- - .../kubernetes/shared.yml | 15 +++++ - .../audit_delete_failed_ppc64le/rule.yml | 65 +++++++++++++++++++ - 3 files changed, 81 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -index 07ed41a9c4f..5ac68376970 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml -@@ -28,7 +28,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..2fb2c25aa30 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,15 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+apiVersion: machineconfiguration.openshift.io/v1 -+kind: MachineConfig -+spec: -+ config: -+ ignition: -+ version: 3.1.0 -+ storage: -+ files: -+ - contents: -+ source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete -+ mode: 0600 -+ path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules -+ overwrite: true -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -new file mode 100644 -index 00000000000..c8c532cb3bb ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -@@ -0,0 +1,65 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of unsuccessful file deletions (ppc64le)' -+ -+{{% set file_contents_audit_delete_failed = -+"## Unsuccessful file delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to delete a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_delete_failed|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85969-4 -+ cce@rhel9: CCE-85970-2 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_delete_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules -+ contents: |- -+ {{{ file_contents_audit_delete_failed|indent(12) }}} -+ -+fixtext: |- -+ Configure {{{ full_name }}} to audit all unsuccessful attempts to delete a file. -+ -+ Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules" with the exactly following content: -+ -+ {{{ file_contents_audit_delete_failed|indent(4) }}} -+ -+ Then, run the following commands: -+ -+ $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules -+ $ sudo augenrules --load - -From 364e30b710df1f58a004edce60cfc6043d0aed3b Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 14:12:20 +0200 -Subject: [PATCH 07/18] add audit_delete_success ppc64le - ---- - .../audit_delete_success/rule.yml | 2 +- - .../kubernetes/shared.yml | 7 ++ - .../audit_delete_success_ppc64le/rule.yml | 64 +++++++++++++++++++ - 3 files changed, 72 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -index 93b42e3f4d6..b2fc0cca348 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml -@@ -26,7 +26,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..3734328c9e1 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,7 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+ -+{{% set file_contents = """## Successful file delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete""" -%}} -+ -+{{{- kubernetes_machine_config_file(path='/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules', file_permissions_mode='0600', source=file_contents) }}} -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -new file mode 100644 -index 00000000000..35362051948 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -@@ -0,0 +1,64 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of successful file deletions (ppc64le)' -+ -+{{% set file_contents_audit_delete_success = -+"## Successful file delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete" %}} -+ -+description: |- -+ Ensure that successful attempts to delete a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_delete_success|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85974-4 -+ cce@rhel9: CCE-85976-9 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_delete_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules -+ contents: |- -+ {{{ file_contents_audit_delete_success|indent(12) }}} -+ -+fixtext: |- -+ Configure {{{ full_name }}} to audit all successful attempts to delete a file. -+ -+ Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules" with the exactly following content: -+ -+ {{{ file_contents_audit_delete_success|indent(4) }}} -+ -+ Then, run the following commands: -+ -+ $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules -+ $ sudo augenrules --load - -From 3bb8799b634e8ec164a6ff7287df92e9519c1a47 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 14:16:37 +0200 -Subject: [PATCH 08/18] add audit_modify_failed ppc64le - ---- - .../policy_rules/audit_modify_failed/rule.yml | 2 +- - .../kubernetes/shared.yml | 15 +++++ - .../audit_modify_failed_ppc64le/rule.yml | 57 +++++++++++++++++++ - 3 files changed, 73 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -index e4d042a50cb..16c7ca38e5a 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml -@@ -36,7 +36,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..f07ff3607ae ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,15 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+apiVersion: machineconfiguration.openshift.io/v1 -+kind: MachineConfig -+spec: -+ config: -+ ignition: -+ version: 3.1.0 -+ storage: -+ files: -+ - contents: -+ source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A -+ mode: 0600 -+ path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules -+ overwrite: true -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -new file mode 100644 -index 00000000000..d5d11a0f214 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -@@ -0,0 +1,57 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of unsuccessful file modifications (ppc64le)' -+ -+{{% set file_contents_audit_modify_failed = -+"## Unsuccessful file modifications (open for write or truncate) -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to modify a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_modify_failed|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85977-7 -+ cce@rhel9: CCE-85978-5 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_modify_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules -+ contents: |- -+ {{{ file_contents_audit_modify_failed|indent(12) }}} - -From 86196a6512dab40e8bed5a06ea0581f2290d5ad8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 14:20:01 +0200 -Subject: [PATCH 09/18] add audit modify_success ppc64le - ---- - .../audit_modify_success/rule.yml | 2 +- - .../kubernetes/shared.yml | 15 +++++ - .../audit_modify_success_ppc64le/rule.yml | 55 +++++++++++++++++++ - 3 files changed, 71 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -index 4c65055f577..cafc88f49b7 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml -@@ -31,7 +31,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..92310b9772e ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,15 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora -+apiVersion: machineconfiguration.openshift.io/v1 -+kind: MachineConfig -+spec: -+ config: -+ ignition: -+ version: 3.1.0 -+ storage: -+ files: -+ - contents: -+ source: data:,%23%23%20Successful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A -+ mode: 0600 -+ path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules -+ overwrite: true -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -new file mode 100644 -index 00000000000..e45015e5949 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -@@ -0,0 +1,55 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of successful file modifications (ppc64le)' -+ -+{{% set file_contents_audit_modify_success = -+"## Successful file modifications (open for write or truncate) -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification" %}} -+ -+description: |- -+ Ensure that successful attempts to modify a file are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_modify_success|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+ -+rationale: |- -+ Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85979-3 -+ cce@rhel9: CCE-85980-1 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_modify_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules -+ contents: |- -+ {{{ file_contents_audit_modify_success|indent(12) }}} - -From 4b3fc315e2e946f103826ac010a056390c906aca Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 14:23:45 +0200 -Subject: [PATCH 10/18] add audit_module_load ppc64le - ---- - .../policy_rules/audit_module_load/rule.yml | 3 ++ - .../kubernetes/shared.yml | 15 ++++++ - .../audit_module_load_ppc64le/rule.yml | 52 +++++++++++++++++++ - 3 files changed, 70 insertions(+) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -index 5e840fca5a3..b04d879a9c0 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml -@@ -26,6 +26,9 @@ rationale: |- - - severity: medium - -+platforms: -+ - not ppc64le_arch -+ - identifiers: - cce@rhel8: CCE-82838-4 - cce@rhel9: CCE-90814-5 -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..231034a9c54 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,15 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+apiVersion: machineconfiguration.openshift.io/v1 -+kind: MachineConfig -+spec: -+ config: -+ ignition: -+ version: 3.1.0 -+ storage: -+ files: -+ - contents: -+ source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A -+ mode: 0600 -+ path: /etc/audit/rules.d/43-module-load.rules -+ overwrite: true -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml -new file mode 100644 -index 00000000000..3f59eecec86 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml -@@ -0,0 +1,52 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of loading and unloading of kernel modules (ppc64le)' -+ -+{{% set file_contents_audit_module_load = -+"## These rules watch for kernel module insertion. By monitoring -+## the syscall, we do not need any watches on programs. -+-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -+-a always,exit -F arch=b64 -S delete_module -F key=module-unload" %}} -+ -+description: |- -+ Ensure that loading and unloading of kernel modules is audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_module_load|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+rationale: |- -+ Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85981-9 -+ cce@rhel9: CCE-85982-7 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000475-GPOS-00220 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/43-module-load.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_module_load|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/43-module-load.rules -+ contents: |- -+ {{{ file_contents_audit_module_load|indent(12) }}} - -From 3265584f7f4396ee037f675a4994a1e85e26564b Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 8 Jul 2022 14:34:25 +0200 -Subject: [PATCH 11/18] add audit_ospp_general ppc64le - ---- - .../policy_rules/audit_ospp_general/rule.yml | 2 +- - .../kubernetes/shared.yml | 15 ++ - .../audit_ospp_general_ppc64le/rule.yml | 132 ++++++++++++++++++ - 3 files changed, 148 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -index e82c5aee936..93417f4cf6d 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml -@@ -109,7 +109,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml -new file mode 100644 -index 00000000000..fa81ece03c6 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml -@@ -0,0 +1,15 @@ -+--- -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos -+apiVersion: machineconfiguration.openshift.io/v1 -+kind: MachineConfig -+spec: -+ config: -+ ignition: -+ version: 3.1.0 -+ storage: -+ files: -+ - contents: -+ source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20%2Fetc%2Faudit%2Frules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20%2Fusr%2Fshare%2Faudit%2Fsample-rules%2F%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgroup%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Funix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fusernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fuserhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fseunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fmount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fgpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fumount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fcrontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fat%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Watch%20for%20configuration%20changes%20to%20privilege%20escalation.%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fsudoers%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fsudoers.d%2F%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D%2Fvar%2Flog%2Faudit%2F%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Frun%2Futmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fbtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fwtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fselinux%2F%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A -+ mode: 0600 -+ path: /etc/audit/rules.d/30-ospp-v42.rules -+ overwrite: true -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -new file mode 100644 -index 00000000000..8d408578c3a ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -@@ -0,0 +1,132 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Perform general configuration of Audit for OSPP (ppc64le)' -+ -+{{% set file_contents_audit_ospp_general = -+"## The purpose of these rules is to meet the requirements for Operating -+## System Protection Profile (OSPP)v4.2. These rules depends on having -+## the following rule files copied to /etc/audit/rules.d: -+## -+## 10-base-config.rules, 11-loginuid.rules, -+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, -+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, -+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, -+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, -+## 30-ospp-v42-5-perm-change-failed.rules, -+## 30-ospp-v42-5-perm-change-success.rules, -+## 30-ospp-v42-6-owner-change-failed.rules, -+## 30-ospp-v42-6-owner-change-success.rules -+## -+## original copies may be found in /usr/share/audit/sample-rules/ -+ -+ -+## User add delete modify. This is covered by pam. However, someone could -+## open a file and directly create or modify a user, so we'll watch passwd and -+## shadow for writes -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+ -+## User enable and disable. This is entirely handled by pam. -+ -+## Group add delete modify. This is covered by pam. However, someone could -+## open a file and directly create or modify a user, so we'll watch group and -+## gshadow for writes -+-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify -+ -+ -+## Use of special rights for config changes. This would be use of setuid -+## programs that relate to user accts. This is not all setuid apps because -+## requirements are only for ones that affect system configuration. -+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -+ -+## Privilege escalation via su or sudo. This is entirely handled by pam. -+ -+## Watch for configuration changes to privilege escalation. -+-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes -+-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes -+ -+## Audit log access -+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -+## Attempts to Alter Process and Session Initiation Information -+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -+ -+## Attempts to modify MAC controls -+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy -+ -+## Software updates. This is entirely handled by rpm. -+ -+## System start and shutdown. This is entirely handled by systemd -+ -+## Kernel Module loading. This is handled in 43-module-load.rules -+ -+## Application invocation. The requirements list an optional requirement -+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to -+## state results from that policy. This would be handled entirely by -+## that daemon." %}} -+ -+description: |- -+ Configure some basic Audit parameters specific for OSPP profile. -+ In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. -+ Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_ospp_general|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85983-5 -+ cce@rhel9: CCE-85984-3 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000241-GPOS-00091,SRG-OS-000476-GPOS-00221,SRG-OS-000327-GPOS-00127,SRG-OS-000475-GPOS-00220,SRG-OS-000239-GPOS-00089,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_ospp_general|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42.rules -+ contents: |+ -+ {{{ file_contents_audit_ospp_general|indent(12) }}} -+#do not remove this comment, it stops Jinja from including more blank lines to the variable - -From 33d024e126e207e9b1e79b8946bcd2cf4cfc864c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 11 Jul 2022 11:08:54 +0200 -Subject: [PATCH 12/18] add audit_owner_change_failed ppc64le - ---- - .../audit_owner_change_failed/rule.yml | 2 +- - .../rule.yml | 53 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 2 - - 3 files changed, 54 insertions(+), 3 deletions(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -index 09c29fb1421..630c54693b5 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml -@@ -28,7 +28,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml -new file mode 100644 -index 00000000000..6324bb4fd3b ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml -@@ -0,0 +1,53 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of unsuccessful ownership changes (ppc64le)' -+ -+{{% set file_contents_audit_owner_change_failed = -+"## Unsuccessful ownership change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to change an ownership of files or directories are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_owner_change_failed|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85985-0 -+ cce@rhel9: CCE-85988-4 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_owner_change_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules -+ contents: |- -+ {{{ file_contents_audit_owner_change_failed|indent(12) }}} - -From a7d6fd67d0916baa324d9d342073b93f386004ce Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 11 Jul 2022 11:11:38 +0200 -Subject: [PATCH 13/18] add audit_owner_change_success aarch64 - ---- - .../audit_owner_change_success/rule.yml | 2 +- - .../rule.yml | 52 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 2 - - 3 files changed, 53 insertions(+), 3 deletions(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -index 934739fd043..744249d8740 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml -@@ -26,7 +26,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml -new file mode 100644 -index 00000000000..62639140885 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml -@@ -0,0 +1,52 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of successful ownership changes (ppc64le)' -+ -+{{% set file_contents_audit_owner_change_success = -+"## Successful ownership change -+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change" %}} -+ -+description: |- -+ Ensure that successful attempts to change an ownership of files or directories are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_owner_change_success|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85997-5 -+ cce@rhel9: CCE-85998-3 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_owner_change_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules -+ contents: |- -+ {{{ file_contents_audit_owner_change_success|indent(12) }}} - -From 0e86aaed2dbe0d215d73e02565ab7eaefe803c70 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 11 Jul 2022 11:13:57 +0200 -Subject: [PATCH 14/18] add audit_perm_change_failed for ppc64le - ---- - .../audit_perm_change_failed/rule.yml | 2 +- - .../audit_perm_change_failed_ppc64le/rule.yml | 53 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 2 - - 3 files changed, 54 insertions(+), 3 deletions(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -index 3f7db62b615..0870d41738e 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml -@@ -28,7 +28,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml -new file mode 100644 -index 00000000000..e55de06efc0 ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml -@@ -0,0 +1,53 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of unsuccessful permission changes (ppc64le)' -+ -+{{% set file_contents_audit_perm_change_failed = -+"## Unsuccessful permission change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change" %}} -+ -+description: |- -+ Ensure that unsuccessful attempts to change file or directory permissions are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_perm_change_failed|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-85999-1 -+ cce@rhel9: CCE-86000-7 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_perm_change_failed|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules -+ contents: |- -+ {{{ file_contents_audit_perm_change_failed|indent(12) }}} - -From c4df26914cc7dc0911f08950be391a31faae8d63 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 11 Jul 2022 11:16:05 +0200 -Subject: [PATCH 15/18] add audit_perm_change_success ppc64le - ---- - .../audit_perm_change_success/rule.yml | 2 +- - .../rule.yml | 52 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 2 - - 3 files changed, 53 insertions(+), 3 deletions(-) - create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -index 4a67bfde428..e0ff8648348 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml -@@ -26,7 +26,7 @@ rationale: |- - # so do not apply this rule but apply the specific one instead - {{% if product == "rhel9" %}} - platforms: -- - not aarch64_arch -+ - not aarch64_arch and not ppc64le_arch - {{% endif %}} - - identifiers: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml -new file mode 100644 -index 00000000000..0cbb0f60e0c ---- /dev/null -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml -@@ -0,0 +1,52 @@ -+documentation_complete: true -+ -+prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure auditing of successful permission changes (ppc64le)' -+ -+{{% set file_contents_audit_perm_change_success = -+"## Successful permission change -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change" %}} -+ -+description: |- -+ Ensure that successful attempts to modify permissions of files or directories are audited. -+ -+ The following rules configure audit as described above: -+
{{{ file_contents_audit_perm_change_success|indent }}}    
-+ -+ Load new Audit rules into kernel by running: -+
augenrules --load
-+ -+ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. -+ -+rationale: |- -+ Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. -+ -+severity: medium -+ -+platforms: -+ - ppc64le_arch -+ -+identifiers: -+ cce@rhel8: CCE-86001-5 -+ cce@rhel9: CCE-86002-3 -+ -+references: -+ nist: AU-2(a) -+ ospp: FAU_GEN.1.1.c -+ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 -+ -+ocil_clause: 'the file does not exist or the content differs' -+ -+ocil: |- -+ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: -+
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-+ The output has to be exactly as follows: -+
{{{ file_contents_audit_perm_change_success|indent }}}    
-+ -+template: -+ name: audit_file_contents -+ vars: -+ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules -+ contents: |- -+ {{{ file_contents_audit_perm_change_success|indent(12) }}} - -From af066dd83f416d40eabe8b9cec584f726b37f14e Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 11 Jul 2022 11:42:46 +0200 -Subject: [PATCH 16/18] add new rules to rhel9 ospp profile - ---- - products/rhel9/profiles/ospp.profile | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 1c97558669f..41930e4b840 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -279,35 +279,51 @@ selections: - - audit_immutable_login_uids - - audit_create_failed - - audit_create_failed_aarch64 -+ - audit_create_failed_ppc64le - - audit_create_success - - audit_create_success_aarch64 -+ - audit_create_success_ppc64le - - audit_modify_failed - - audit_modify_failed_aarch64 -+ - audit_modify_failed_ppc64le - - audit_modify_success - - audit_modify_success_aarch64 -+ - audit_modify_success_ppc64le - - audit_access_failed - - audit_access_failed_aarch64 -+ - audit_access_failed_ppc64le - - audit_access_success - - audit_access_success.severity=info - - audit_access_success.role=unscored - - audit_access_success_aarch64 - - audit_access_success_aarch64.severity=info - - audit_access_success_aarch64.role=unscored -+ - audit_access_success_ppc64le -+ - audit_access_success_ppc64le.severity=info -+ - audit_access_success_ppc64le.role=unscored - - audit_delete_failed - - audit_delete_failed_aarch64 -+ - audit_delete_failed_ppc64le - - audit_delete_success - - audit_delete_success_aarch64 -+ - audit_delete_success_ppc64le - - audit_perm_change_failed - - audit_perm_change_failed_aarch64 -+ - audit_perm_change_failed_ppc64le - - audit_perm_change_success - - audit_perm_change_success_aarch64 -+ - audit_perm_change_success_ppc64le - - audit_owner_change_failed - - audit_owner_change_failed_aarch64 -+ - audit_owner_change_failed_ppc64le - - audit_owner_change_success - - audit_owner_change_success_aarch64 -+ - audit_owner_change_success_ppc64le - - audit_ospp_general - - audit_ospp_general_aarch64 -+ - audit_ospp_general_ppc64le - - audit_module_load -+ - audit_module_load_ppc64le - - ## Enable Automatic Software Updates - ## SI-2 / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) - -From 1fb5a22850fb1bfbaee76422ef57b3b631d4c91f Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 15 Jul 2022 10:40:07 +0200 -Subject: [PATCH 17/18] make newly added rules RHEL9 only - -- change their prodtype to rhel9 -- return rhel8 cces back to the pool -- make the platform in generic rule applicable only on rhel9 since on rhel8 the file content is the same regardless of the architecture -- remove rules from rhel8 profiles ---- - .../policy_rules/audit_access_failed/rule.yml | 4 ++++ - .../audit_access_failed_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_access_success/rule.yml | 4 ++++ - .../audit_access_success_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_create_failed/rule.yml | 4 ++++ - .../audit_create_failed_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_create_success/rule.yml | 4 ++++ - .../audit_create_success_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_delete_failed/rule.yml | 5 ++++- - .../audit_delete_failed_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_delete_success/rule.yml | 4 ++++ - .../audit_delete_success_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_modify_failed/rule.yml | 4 ++++ - .../audit_modify_failed_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_modify_success/rule.yml | 4 ++++ - .../audit_modify_success_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_module_load/rule.yml | 4 ++++ - .../audit_module_load_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_ospp_general/rule.yml | 4 ++++ - .../audit_ospp_general_ppc64le/rule.yml | 3 +-- - .../audit_owner_change_failed/rule.yml | 4 ++++ - .../audit_owner_change_failed_ppc64le/rule.yml | 3 +-- - .../audit_owner_change_success/rule.yml | 4 ++++ - .../audit_owner_change_success_ppc64le/rule.yml | 3 +-- - .../policy_rules/audit_perm_change_failed/rule.yml | 4 ++++ - .../audit_perm_change_failed_ppc64le/rule.yml | 3 +-- - .../audit_perm_change_success/rule.yml | 4 ++++ - .../audit_perm_change_success_ppc64le/rule.yml | 3 +-- - shared/references/cce-redhat-avail.txt | 14 ++++++++++++++ - 29 files changed, 84 insertions(+), 29 deletions(-) - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -index f764da506e9..6547b12e349 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of unsuccessful file accesses (ppc64le)' - -@@ -29,7 +29,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85953-8 - cce@rhel9: CCE-85955-3 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -index b76fe0b4a4e..6ec2fc3b32d 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of successful file accesses (ppc64le)' - -@@ -29,7 +29,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85960-3 - cce@rhel9: CCE-85961-1 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -index ead598f8b9a..7af3f3b5bbb 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of unsuccessful file creations (ppc64le)' - -@@ -33,7 +33,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85962-9 - cce@rhel9: CCE-85965-2 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml -index 294947c14ba..87bfe3de933 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of successful file creations (ppc64le)' - -@@ -30,7 +30,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85966-0 - cce@rhel9: CCE-85968-6 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -index c8c532cb3bb..30279c88b23 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of unsuccessful file deletions (ppc64le)' - -@@ -29,7 +29,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85969-4 - cce@rhel9: CCE-85970-2 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -index 35362051948..220e5d9ca78 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of successful file deletions (ppc64le)' - -@@ -28,7 +28,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85974-4 - cce@rhel9: CCE-85976-9 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -index d5d11a0f214..ae0931dcee3 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of unsuccessful file modifications (ppc64le)' - -@@ -33,7 +33,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85977-7 - cce@rhel9: CCE-85978-5 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -index e45015e5949..4c4b1c7d8e0 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of successful file modifications (ppc64le)' - -@@ -31,7 +31,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85979-3 - cce@rhel9: CCE-85980-1 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml -index 3f59eecec86..4f8b06c5e2f 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of loading and unloading of kernel modules (ppc64le)' - -@@ -28,7 +28,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85981-9 - cce@rhel9: CCE-85982-7 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -index 8d408578c3a..3fe9257c0cc 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Perform general configuration of Audit for OSPP (ppc64le)' - -@@ -107,7 +107,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85983-5 - cce@rhel9: CCE-85984-3 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml -index 6324bb4fd3b..f0a7c78dd14 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of unsuccessful ownership changes (ppc64le)' - -@@ -29,7 +29,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85985-0 - cce@rhel9: CCE-85988-4 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml -index 62639140885..dd0cf8d7cca 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of successful ownership changes (ppc64le)' - -@@ -28,7 +28,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85997-5 - cce@rhel9: CCE-85998-3 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml -index e55de06efc0..71e5354753e 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of unsuccessful permission changes (ppc64le)' - -@@ -29,7 +29,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-85999-1 - cce@rhel9: CCE-86000-7 - - references: -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml -index 0cbb0f60e0c..282a2e316f4 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Configure auditing of successful permission changes (ppc64le)' - -@@ -28,7 +28,6 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel8: CCE-86001-5 - cce@rhel9: CCE-86002-3 - - references: - -From 3b4bc8b3bec38c27e67bde1ad34ff42c85e7cd94 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 18 Jul 2022 14:12:08 +0200 -Subject: [PATCH 18/18] fix CCE assignments after rebase - ---- - .../audit_access_failed_ppc64le/rule.yml | 2 +- - .../audit_access_success_ppc64le/rule.yml | 2 +- - .../audit_create_failed_ppc64le/rule.yml | 2 +- - .../audit_create_success_ppc64le/rule.yml | 2 +- - .../audit_delete_failed_ppc64le/rule.yml | 2 +- - .../audit_delete_success_ppc64le/rule.yml | 2 +- - .../audit_modify_failed_ppc64le/rule.yml | 2 +- - .../audit_modify_success_ppc64le/rule.yml | 2 +- - .../audit_module_load_ppc64le/rule.yml | 2 +- - .../audit_ospp_general_ppc64le/rule.yml | 2 +- - shared/references/cce-redhat-avail.txt | 20 ------------------- - 11 files changed, 10 insertions(+), 30 deletions(-) - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -index 6547b12e349..222290c9dd7 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml -@@ -29,7 +29,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85955-3 -+ cce@rhel9: CCE-86001-5 - - references: - ism: 0582,0584,05885,0586,0846,0957 -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -index 6ec2fc3b32d..0091db466df 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml -@@ -29,7 +29,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85961-1 -+ cce@rhel9: CCE-85999-1 - - references: - ism: 0582,0584,05885,0586,0846,0957 -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -index 7af3f3b5bbb..c85274a3540 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml -@@ -33,7 +33,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85965-2 -+ cce@rhel9: CCE-85997-5 - - references: - nist: AU-2(a) -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml -index 87bfe3de933..54eb4be972d 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml -@@ -30,7 +30,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85968-6 -+ cce@rhel9: CCE-85985-0 - - references: - nist: AU-2(a) -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -index 30279c88b23..123a38cc0c6 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml -@@ -29,7 +29,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85970-2 -+ cce@rhel9: CCE-90787-3 - - references: - nist: AU-2(a) -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -index 220e5d9ca78..f127ee47197 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml -@@ -28,7 +28,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85976-9 -+ cce@rhel9: CCE-90789-9 - - references: - nist: AU-2(a) -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -index ae0931dcee3..22a90d645e3 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml -@@ -33,7 +33,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85978-5 -+ cce@rhel9: CCE-90790-7 - - references: - nist: AU-2(a) -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -index 4c4b1c7d8e0..94b15c57c2f 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml -@@ -31,7 +31,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85980-1 -+ cce@rhel9: CCE-90791-5 - - references: - nist: AU-2(a) -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml -index 4f8b06c5e2f..486f0ba2d9e 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml -@@ -28,7 +28,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85982-7 -+ cce@rhel9: CCE-90788-1 - - references: - nist: AU-2(a) -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -index 3fe9257c0cc..cb712714c19 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml -@@ -107,7 +107,7 @@ platforms: - - ppc64le_arch - - identifiers: -- cce@rhel9: CCE-85984-3 -+ cce@rhel9: CCE-90786-5 - - references: - nist: AU-2(a) diff --git a/SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch b/SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch deleted file mode 100644 index 2ac4abd..0000000 --- a/SOURCES/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 11:45:15 +0200 -Subject: [PATCH 1/4] fix ospp references - ---- - linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml -index c151d3c4aa1..f9b46c51ddd 100644 ---- a/linux_os/guide/system/accounts/enable_authselect/rule.yml -+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml -@@ -34,6 +34,7 @@ references: - disa: CCI-000213 - hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth - nist: AC-3 -+ ospp: FIA_UAU.1,FIA_AFL.1 - srg: SRG-OS-000480-GPOS-00227 - - ocil: |- - -From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 11:45:42 +0200 -Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp - ---- - products/rhel9/profiles/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index b47630c62b0..dcc41970043 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -115,7 +115,7 @@ selections: - - coredump_disable_storage - - coredump_disable_backtraces - - service_systemd-coredump_disabled -- - var_authselect_profile=sssd -+ - var_authselect_profile=minimal - - enable_authselect - - use_pam_wheel_for_su - - -From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 11:45:54 +0200 -Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp - ---- - products/rhel8/profiles/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index 39ad1797c7a..ebec8a3a6f9 100644 ---- a/products/rhel8/profiles/ospp.profile -+++ b/products/rhel8/profiles/ospp.profile -@@ -220,7 +220,7 @@ selections: - - var_accounts_max_concurrent_login_sessions=10 - - accounts_max_concurrent_login_sessions - - securetty_root_login_console_only -- - var_authselect_profile=sssd -+ - var_authselect_profile=minimal - - enable_authselect - - var_password_pam_unix_remember=5 - - accounts_password_pam_unix_remember - -From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 13:55:05 +0200 -Subject: [PATCH 4/4] update profile stability test - ---- - tests/data/profile_stability/rhel8/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 5d73a8c6fef..21e93e310d5 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -242,7 +242,7 @@ selections: - - var_slub_debug_options=P - - var_auditd_flush=incremental_async - - var_accounts_max_concurrent_login_sessions=10 --- var_authselect_profile=sssd -+- var_authselect_profile=minimal - - var_password_pam_unix_remember=5 - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted diff --git a/SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch b/SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch deleted file mode 100644 index 20b17ab..0000000 --- a/SOURCES/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch +++ /dev/null @@ -1,302 +0,0 @@ -From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 27 Jul 2022 13:49:05 +0200 -Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp - ---- - products/rhel9/profiles/ospp.profile | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index dcc41970043..0902abf58db 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -110,10 +110,7 @@ selections: - - package_gnutls-utils_installed - - ### Login -- - disable_users_coredumps - - sysctl_kernel_core_pattern -- - coredump_disable_storage -- - coredump_disable_backtraces - - service_systemd-coredump_disabled - - var_authselect_profile=minimal - - enable_authselect - -From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 3 Aug 2022 12:17:27 +0200 -Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL - -actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template. -I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers. ---- - shared/templates/sysctl/oval.template | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 1a7c4979bbe..e0c6f72f928 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -17,13 +17,8 @@ - {{% endif %}} - {{%- endmacro -%}} - {{%- macro sysctl_match() -%}} --{{%- if SYSCTLVAL == "" -%}} -- ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$ -- 1 --{{%- else -%}} - ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$ - 1 --{{%- endif -%}} - {{%- endmacro -%}} - {{%- if "P" in FLAGS -%}} - - -From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 3 Aug 2022 13:00:45 +0200 -Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid - ---- - .../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++ - 2 files changed, 36 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml -new file mode 100644 -index 00000000000..7fa36fb940e ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Configure file name of core dumps' -+ -+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}' -+ -+rationale: |- -+ The default coredump filename is
core
. By setting -+
core_uses_pid
to
1
, the coredump filename becomes -+
core.PID
. If
core_pattern
does not include -+
%p
(default does not) and
core_uses_pid
is set, then -+
.PID
will be appended to the filename. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel9: CCE-86003-1 -+ -+references: -+ ospp: FMT_SMF_EXT.1 -+ -+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' -+ -+ocil: |- -+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}} -+ -+platform: machine -+ -+template: -+ name: sysctl -+ vars: -+ sysctlvar: kernel.core_uses_pid -+ datatype: int -+ sysctlval: '0' - -From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 09:08:37 +0200 -Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string - ---- - .../rule.yml | 49 +++++++++++++++++++ - 2 files changed, 49 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml -new file mode 100644 -index 00000000000..089bb1481aa ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml -@@ -0,0 +1,49 @@ -+documentation_complete: true -+ -+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9 -+ -+title: 'Disable storing core dumps' -+ -+description: |- -+ The kernel.core_pattern option specifies the core dumpfile pattern -+ name. It can be set to an empty string ''. In this case, the kernel -+ behaves differently based on another related option. If -+ kernel.core_uses_pid is set to 1, then a file named as -+ .PID (where PID is process ID of the crashed process) is -+ created in the working directory. If kernel.core_uses_pid is set to -+ 0, no coredump is saved. -+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}' -+ -+rationale: |- -+ A core dump includes a memory image taken at the time the operating system -+ terminates an application. The memory image could contain sensitive data and is generally useful -+ only for developers trying to debug problems. -+ -+severity: medium -+ -+requires: -+ - sysctl_kernel_core_uses_pid -+ -+conflicts: -+ - sysctl_kernel_core_pattern -+ -+identifiers: -+ cce@rhel9: CCE-86005-6 -+ -+references: -+ ospp: FMT_SMF_EXT.1 -+ -+ocil_clause: |- -+ the returned line does not have a value of ''. -+ -+ocil: | -+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}} -+ -+platform: machine -+ -+template: -+ name: sysctl -+ vars: -+ sysctlvar: kernel.core_pattern -+ sysctlval: "''" -+ datatype: string - -From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 10:40:47 +0200 -Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile - ---- - products/rhel9/profiles/ospp.profile | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 0902abf58db..b1b18261d48 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -110,7 +110,8 @@ selections: - - package_gnutls-utils_installed - - ### Login -- - sysctl_kernel_core_pattern -+ - sysctl_kernel_core_pattern_empty_string -+ - sysctl_kernel_core_uses_pid - - service_systemd-coredump_disabled - - var_authselect_profile=minimal - - enable_authselect - -From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 3 Aug 2022 13:01:12 +0200 -Subject: [PATCH 6/8] describe beneficial dependency between - sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid - ---- - .../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml -index 7fa36fb940e..d6d2c468c10 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml -@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps' - description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}' - - rationale: |- -- The default coredump filename is
core
. By setting --
core_uses_pid
to
1
, the coredump filename becomes --
core.PID
. If
core_pattern
does not include --
%p
(default does not) and
core_uses_pid
is set, then --
.PID
will be appended to the filename. -+ The default coredump filename is core. By setting -+ core_uses_pid to 1, the coredump filename becomes -+ core.PID. If core_pattern does not include -+ %p (default does not) and core_uses_pid is set, then -+ .PID will be appended to the filename. -+ When combined with kernel.core_pattern = "" configuration, it -+ is ensured that no core dumps are generated and also no confusing error -+ messages are printed by a shell. - - severity: medium - - -From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 5 Aug 2022 10:53:37 +0200 -Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with - sysctl_kernel_core_pattern_empty_string - -they are modifying the same configuration ---- - .../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -index 771c4d40e0f..c27a9e7ecf3 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -@@ -13,6 +13,9 @@ rationale: |- - - severity: medium - -+conflicts: -+ - sysctl_kernel_core_pattern_empty_string -+ - identifiers: - cce@rhcos4: CCE-82527-3 - cce@rhel8: CCE-82215-5 - -From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 9 Aug 2022 16:43:20 +0200 -Subject: [PATCH 8/8] fix ocils - ---- - .../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++- - .../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++-- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -index c27a9e7ecf3..1a540ce20b3 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -@@ -29,7 +29,10 @@ references: - stigid@ol8: OL08-00-010671 - stigid@rhel8: RHEL-08-010671 - --ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' -+ocil_clause: |- -+ the returned line does not have a value of "|/bin/false", or a line is not -+ returned and the need for core dumps is not documented with the Information -+ System Security Officer (ISSO) as an operational requirement - - ocil: | - {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}} -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml -index d6d2c468c10..8f51f97c16c 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml -@@ -24,10 +24,10 @@ identifiers: - references: - ospp: FMT_SMF_EXT.1 - --ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' -+ocil_clause: 'the returned line does not have a value of 0' - - ocil: |- -- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}} -+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}} - - platform: machine - diff --git a/SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch b/SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch deleted file mode 100644 index 457d139..0000000 --- a/SOURCES/scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch +++ /dev/null @@ -1,826 +0,0 @@ -From 796d3630621847b478896ee4a773cdb605821882 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 18 Aug 2022 13:06:49 +0200 -Subject: [PATCH 1/8] Create custom sysctl_kernel_core_pattern_empty_string - content. - ---- - .../ansible/shared.yml | 32 +++ - .../bash/shared.sh | 60 +++++ - .../oval/shared.xml | 221 ++++++++++++++++++ - .../rule.yml | 23 +- - .../tests/correct_value.pass.sh | 10 + - .../tests/wrong_value.fail.sh | 10 + - .../tests/wrong_value_three_entries.fail.sh | 11 + - .../tests/wrong_value_two_entries.fail.sh | 10 + - products/rhel9/profiles/ospp.profile | 2 +- - 9 files changed, 366 insertions(+), 13 deletions(-) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml -new file mode 100644 -index 00000000000..a6e7bf54b56 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml -@@ -0,0 +1,32 @@ -+# platform = multi_platform_all -+# reboot = true -+# strategy = disable -+# complexity = low -+# disruption = medium -+- name: List /etc/sysctl.d/*.conf files -+ find: -+ paths: -+ - /etc/sysctl.d/ -+ - /run/sysctl.d/ -+ contains: ^[\s]*kernel.core_pattern.*$ -+ patterns: '*.conf' -+ file_type: any -+ register: find_sysctl_d -+- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf -+ files -+ replace: -+ path: '{{ item.path }}' -+ regexp: ^[\s]*kernel.core_pattern -+ replace: '#kernel.core_pattern' -+ loop: '{{ find_sysctl_d.files }}' -+- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files -+ replace: -+ path: /etc/sysctl.conf -+ regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+ -+ replace: '#kernel.core_pattern' -+- name: Ensure sysctl kernel.core_pattern is set to empty -+ sysctl: -+ name: kernel.core_pattern -+ value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces -+ state: present -+ reload: true -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh -new file mode 100644 -index 00000000000..989987250bc ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh -@@ -0,0 +1,60 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle -+# reboot = true -+# strategy = disable -+# complexity = low -+# disruption = medium -+# Remediation is applicable only in certain platforms -+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then -+ -+# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files -+ -+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do -+ -+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) -+ if ! test -z "$matching_list"; then -+ while IFS= read -r entry; do -+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") -+ # comment out "kernel.core_pattern" matches to preserve user data -+ sed -i "s/^${escaped_entry}$/# &/g" $f -+ done <<< "$matching_list" -+ fi -+done -+ -+# -+# Set runtime for kernel.core_pattern -+# -+/sbin/sysctl -q -n -w kernel.core_pattern="" -+ -+# -+# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty -+# else, add "kernel.core_pattern =" to /etc/sysctl.conf -+# -+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. -+# Otherwise, regular sed command will do. -+sed_command=('sed' '-i') -+if test -L "/etc/sysctl.conf"; then -+ sed_command+=('--follow-symlinks') -+fi -+ -+# Strip any search characters in the key arg so that the key can be replaced without -+# adding any search characters to the config file. -+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") -+ -+# shellcheck disable=SC2059 -+printf -v formatted_output "%s=" "$stripped_key" -+ -+# If the key exists, change it. Otherwise, add it to the config_file. -+# We search for the key string followed by a word boundary (matched by \>), -+# so if we search for 'setting', 'setting2' won't match. -+if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then -+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") -+ "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf" -+else -+ # \n is precaution for case where file ends without trailing newline -+ -+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf" -+fi -+ -+else -+ >&2 echo 'Remediation is not applicable, nothing was done' -+fi -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml -new file mode 100644 -index 00000000000..39654259dcb ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml -@@ -0,0 +1,221 @@ -+ -+ -+ -+ -+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} -+ -+ -+ -+ -+ -+ -+ -+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ kernel.core_pattern -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ local_var_sysctl_kernel_core_pattern_empty_string_counter -+ -+ -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered -+ state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ var_obj_symlink_sysctl_kernel_core_pattern_empty_string -+ var_obj_blank_sysctl_kernel_core_pattern_empty_string -+ -+ -+ -+ -+ local_var_blank_path_sysctl_kernel_core_pattern_empty_string -+ -+ -+ -+ -+ -+ -+ -+ local_var_symlinks_sysctl_kernel_core_pattern_empty_string -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string -+ -+ -+ -+ -+ ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string -+ object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string -+ -+ -+ -+ -+ -+ object_static_sysctl_sysctl_kernel_core_pattern_empty_string -+ object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string -+ -+ -+ -+ -+ -+ object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string -+ -+ -+ -+ -+ -+ /etc/sysctl.conf -+ ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ -+ 1 -+ -+ -+ -+ /etc/sysctl.d -+ ^.*\.conf$ -+ ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ -+ 1 -+ -+ -+ -+ /run/sysctl.d -+ ^.*\.conf$ -+ ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml -index dc21f53c98c..2babb28e361 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml -@@ -1,18 +1,18 @@ - documentation_complete: true - --prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9 -+prodtype: rhel9 - - title: 'Disable storing core dumps' - - description: |- - The kernel.core_pattern option specifies the core dumpfile pattern -- name. It can be set to an empty string ''. In this case, the kernel -+ name. It can be set to an empty string. In this case, the kernel - behaves differently based on another related option. If - kernel.core_uses_pid is set to 1, then a file named as - .PID (where PID is process ID of the crashed process) is - created in the working directory. If kernel.core_uses_pid is set to - 0, no coredump is saved. -- {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}' -+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="") }}} - - rationale: |- - A core dump includes a memory image taken at the time the operating system -@@ -30,17 +30,16 @@ conflicts: - identifiers: - cce@rhel9: CCE-86005-6 - -+references: -+ ospp: FMT_SMF_EXT.1 -+ - ocil_clause: |- -- the returned line does not have a value of ''. -+ the returned line does not have an empty string - - ocil: | -- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}} -+ The runtime status of the kernel.core_pattern kernel parameter can be queried -+ by running the following command: -+
$ sysctl kernel.core_pattern | cat -A
-+ kernel.core_pattern = $ - - platform: machine -- --template: -- name: sysctl -- vars: -- sysctlvar: kernel.core_pattern -- sysctlval: "''" -- datatype: string -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh -new file mode 100644 -index 00000000000..71f0f5db142 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf -+echo "kernel.core_pattern=" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.core_pattern="" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh -new file mode 100644 -index 00000000000..1c5fabcc136 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf -+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.core_pattern="|/bin/false" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh -new file mode 100644 -index 00000000000..e56e927ec56 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf -+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf -+echo "kernel.core_pattern=" >> /etc/sysctl.conf -+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.core_pattern="" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh -new file mode 100644 -index 00000000000..6c065b1e038 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf -+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf -+echo "kernel.core_pattern=" >> /etc/sysctl.conf -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.core_pattern="" -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 9fdd1354e38..b1b18261d48 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -110,7 +110,7 @@ selections: - - package_gnutls-utils_installed - - ### Login -- - sysctl_kernel_core_pattern -+ - sysctl_kernel_core_pattern_empty_string - - sysctl_kernel_core_uses_pid - - service_systemd-coredump_disabled - - var_authselect_profile=minimal - -From a77abaf442d411fe7bc59e94a1c0330163e03a16 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 25 Aug 2022 11:13:04 +0200 -Subject: [PATCH 2/8] Make the conflicts attribute appblicable only to RHEL9. - -The new rule empty is applicable only to RHEL9 and if there would not be -the restriction, then dangling references would be produced. ---- - .../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -index 1a540ce20b3..e369854060b 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml -@@ -13,8 +13,10 @@ rationale: |- - - severity: medium - -+{{% if product in ["rhel9"] %}} - conflicts: - - sysctl_kernel_core_pattern_empty_string -+{{% endif %}} - - identifiers: - cce@rhcos4: CCE-82527-3 - -From ec71ac98b89cc8295324c90b1610a5ff01126895 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 25 Aug 2022 11:16:41 +0200 -Subject: [PATCH 3/8] Switch bash remediation applicable to all products in - sysctl_kernel_core_pattern_empty_string. - ---- - .../sysctl_kernel_core_pattern_empty_string/bash/shared.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh -index 989987250bc..9e84d41056d 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle -+# platform = multi_platform_all - # reboot = true - # strategy = disable - # complexity = low - -From bac544446d3c5a1d87a2b4934cbb94ebc00d2ce9 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 25 Aug 2022 11:23:04 +0200 -Subject: [PATCH 4/8] Address feedback. - ---- - .../ansible/shared.yml | 3 +++ - .../oval/shared.xml | 19 +++++-------------- - 2 files changed, 8 insertions(+), 14 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml -index a6e7bf54b56..22a8d99dae8 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml -@@ -12,6 +12,7 @@ - patterns: '*.conf' - file_type: any - register: find_sysctl_d -+ - - name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf - files - replace: -@@ -19,11 +20,13 @@ - regexp: ^[\s]*kernel.core_pattern - replace: '#kernel.core_pattern' - loop: '{{ find_sysctl_d.files }}' -+ - - name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files - replace: - path: /etc/sysctl.conf - regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+ - replace: '#kernel.core_pattern' -+ - - name: Ensure sysctl kernel.core_pattern is set to empty - sysctl: - name: kernel.core_pattern -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml -index 39654259dcb..1c3bbfd9a3e 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml -@@ -10,7 +10,9 @@ - definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/> - - -- -+ -+ -+ - - {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}} - -@@ -23,21 +25,15 @@ - comment="kernel runtime parameter kernel.core_pattern set to an empty string" - check="all" check_existence="all_exist" state_operator="OR"> - -- - -- - - - - kernel.core_pattern - - -- - -- -- -- -+ - - - -@@ -53,18 +49,17 @@ - test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/> - -- - - - - - -+ - - - -- - - - ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ - - -- - - - -@@ -189,7 +183,6 @@ - - - object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string -- - - - -@@ -213,9 +206,7 @@ - 1 - - -- - -- - - - - -From 39bb8e75c95c469a4f6428664f24f7f9688ffa87 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 25 Aug 2022 14:46:15 +0200 -Subject: [PATCH 5/8] Fix test parse affected to support OVAL with multiple - def-group tags. - ---- - tests/test_parse_affected.py | 26 ++++++++++++++++---------- - 1 file changed, 16 insertions(+), 10 deletions(-) - -diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py -index 8407794b972..947b56636c0 100755 ---- a/tests/test_parse_affected.py -+++ b/tests/test_parse_affected.py -@@ -3,6 +3,7 @@ - from __future__ import print_function - - import os -+import re - import sys - - import ssg.constants -@@ -73,19 +74,24 @@ def parse_affected(cur_dir, env_yaml): - if not xml_content: - continue - -- oval_contents = ssg.utils.split_string_content(xml_content) -+ # split multiple def group into a list so multiple definitions in one OVAL also work -+ # this findall does not preserv the tag but it's not necessary for the -+ # purpose of the test -+ xml_content_list = re.findall(r'(.+?)', xml_content, re.DOTALL) -+ for item in xml_content_list: -+ oval_contents = ssg.utils.split_string_content(item) - -- try: -- results = ssg.oval.parse_affected(oval_contents) -+ try: -+ results = ssg.oval.parse_affected(oval_contents) - -- assert len(results) == 3 -- assert isinstance(results[0], int) -- assert isinstance(results[1], int) -+ assert len(results) == 3 -+ assert isinstance(results[0], int) -+ assert isinstance(results[1], int) - -- except ValueError as e: -- print("No element found in file {}. " -- " Parsed XML was:\n{}".format(oval, xml_content)) -- raise e -+ except ValueError as e: -+ print("No element found in file {}. " -+ " Parsed XML was:\n{}".format(oval, item)) -+ raise e - - - if __name__ == "__main__": - -From 8d6176c1f96f983aaa0134d19cc66fd3c7b29e15 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 25 Aug 2022 15:14:57 +0200 -Subject: [PATCH 6/8] Fix ansible remediation to preserve old non compliant - values. - -Comment out any offending line. ---- - .../ansible/shared.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml -index 22a8d99dae8..f4dc5110fee 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml -@@ -24,8 +24,8 @@ - - name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files - replace: - path: /etc/sysctl.conf -- regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+ -- replace: '#kernel.core_pattern' -+ regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)' -+ replace: '#kernel.core_pattern\1' - - - name: Ensure sysctl kernel.core_pattern is set to empty - sysctl: - -From c5bcea37000f54f3273d529237e02fe0979e6d6d Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 25 Aug 2022 15:20:41 +0200 -Subject: [PATCH 7/8] Fix PEP8 issue. - ---- - tests/test_parse_affected.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py -index 947b56636c0..53690df5ce1 100755 ---- a/tests/test_parse_affected.py -+++ b/tests/test_parse_affected.py -@@ -90,7 +90,7 @@ def parse_affected(cur_dir, env_yaml): - - except ValueError as e: - print("No element found in file {}. " -- " Parsed XML was:\n{}".format(oval, item)) -+ " Parsed XML was:\n{}".format(oval, item)) - raise e - - - -From 243347ad56fcd4f83f0b77e9b3b7fcd98d0d4acb Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 25 Aug 2022 16:31:31 +0200 -Subject: [PATCH 8/8] Add more test scenarios for - sysctl_kernel_core_pattern_empty_string. - ---- - .../tests/correct_value_with_spaces.pass.sh | 10 ++++++++++ - .../tests/wrong_value_d_directory.fail.sh | 9 +++++++++ - .../tests/wrong_value_runtime.fail.sh | 10 ++++++++++ - 3 files changed, 29 insertions(+) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh -new file mode 100644 -index 00000000000..b6688e6ca91 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf -+echo "kernel.core_pattern= " >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.core_pattern="" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh -new file mode 100644 -index 00000000000..6c574b92762 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf -+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.core_pattern="" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh -new file mode 100644 -index 00000000000..8c729677b86 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf -+echo "kernel.core_pattern=" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.core_pattern="|/bin/false" diff --git a/SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch b/SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch deleted file mode 100644 index 57e9182..0000000 --- a/SOURCES/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 20 Jul 2022 14:18:13 +0200 -Subject: [PATCH] change remediations to include the "=" sign - ---- - .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- - .../crypto/configure_openssl_crypto_policy/bash/shared.sh | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -index c335a9e7fa2..852ca18cf79 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -@@ -20,7 +20,7 @@ - lineinfile: - create: yes - insertafter: '^\s*\[\s*crypto_policy\s*]\s*' -- line: ".include /etc/crypto-policies/back-ends/opensslcnf.config" -+ line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config" - path: {{{ openssl_cnf_path }}} - when: - - test_crypto_policy_group.stdout is defined -@@ -29,7 +29,7 @@ - - name: "Add crypto_policy group and set include opensslcnf.config" - lineinfile: - create: yes -- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config" -+ line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config" - path: {{{ openssl_cnf_path }}} - when: - - test_crypto_policy_group.stdout is defined -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh -index 21edb780a2f..79eb5cff189 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh -@@ -2,8 +2,8 @@ - - OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' - OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' --OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' --OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' -+OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config' -+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$' - - {{% if 'sle' in product %}} - {{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}} diff --git a/SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch b/SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch deleted file mode 100644 index 00f27c1..0000000 --- a/SOURCES/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch +++ /dev/null @@ -1,29 +0,0 @@ -From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 28 Jul 2022 15:08:15 +0200 -Subject: [PATCH] Remove a confusing sentence - -In the rule description, there are 2 conflicting sentences, they -both start by "By default ...", but they negate each other. -In fact, the second of them is true, so the first one could be -removed. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799 ---- - .../accounts-physical/require_singleuser_auth/rule.yml | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -index 932d76c36d9..332712ea1dd 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode' - description: |- - Single-user mode is intended as a system recovery - method, providing a single user root access to the system by -- providing a boot option at startup. By default, no authentication -- is performed if single-user mode is selected. -+ providing a boot option at startup. -

- By default, single-user mode is protected by requiring a password and is set - in /usr/lib/systemd/system/rescue.service. diff --git a/SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch b/SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch deleted file mode 100644 index 668459b..0000000 --- a/SOURCES/scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d76e93e697755e63d5c833747adef4af23c3256b Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 22 Aug 2022 13:51:28 +0200 -Subject: [PATCH 1/2] switch sysctl_kernel_core_pattern_empty_string for - sysctl_kernel_core_pattern - ---- - products/rhel9/profiles/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index b1b18261d48..9fdd1354e38 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -110,7 +110,7 @@ selections: - - package_gnutls-utils_installed - - ### Login -- - sysctl_kernel_core_pattern_empty_string -+ - sysctl_kernel_core_pattern - - sysctl_kernel_core_uses_pid - - service_systemd-coredump_disabled - - var_authselect_profile=minimal - -From d304b9f0037bfac6e20b1365e0d320f714ce09a3 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 22 Aug 2022 13:51:55 +0200 -Subject: [PATCH 2/2] remove ospp reference from - sysctl_kernel_core_pattern_empty_string - ---- - .../sysctl_kernel_core_pattern_empty_string/rule.yml | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml -index 089bb1481aa..dc21f53c98c 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml -@@ -30,9 +30,6 @@ conflicts: - identifiers: - cce@rhel9: CCE-86005-6 - --references: -- ospp: FMT_SMF_EXT.1 -- - ocil_clause: |- - the returned line does not have a value of ''. - diff --git a/SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch b/SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch deleted file mode 100644 index 9651d1d..0000000 --- a/SOURCES/scap-security-guide-0.1.64-readd_rules-PR_9334.patch +++ /dev/null @@ -1,60 +0,0 @@ -From be2aba89ab61767fd301ee1ac4f4e64bf5a66887 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 11 Aug 2022 16:53:48 +0200 -Subject: [PATCH] add 4 rules back to RHEL9 datastream - ---- - .../services/kerberos/package_krb5-server_removed/rule.yml | 2 +- - .../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +- - .../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +- - .../system-tools/package_krb5-workstation_removed/rule.yml | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml -index 78577046409..17d742d9692 100644 ---- a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml -+++ b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9 - - title: 'Remove the Kerberos Server Package' - -diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -index d8a3910ff4d..9be95ffed5c 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Remove NIS Client' - -diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -index ee7ccb2d8da..0f7ad7c0431 100644 ---- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 -+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Uninstall ypserv Package' - -diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml -index 7a02459825d..4750fd6b266 100644 ---- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8 -+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9 - - title: 'Uninstall krb5-workstation Package' - diff --git a/SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch b/SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch deleted file mode 100644 index 1f8f5b0..0000000 --- a/SOURCES/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch +++ /dev/null @@ -1,1888 +0,0 @@ -From 81c2f59f42ffa2cf5a611eaeccc40c802bedd6d7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 8 Jul 2022 17:51:57 +0200 -Subject: [PATCH 01/23] Remove a rule from RHEL 9 OSPP - -Remove rule sysctl_net_core_bpf_jit_harden from RHEL 9 OSPP. This rule -requires to set net.core.bpf_jit_harden value to 2, the RHEL 9 default -is 1. However, bpf_jit_harden=1 disables kallsyms access from bpf -programs and all users, and it turns on constants blinding by using -random value + XOR for CAP_BPF; so the only thing in which value 1 and 2 -differ is the constants blinding for CAP_SYS_ADMIN processes in the -initial user namespaces. The extra constants blinding with -bpf_jit_harden=2 does not really help with CVE mitigation. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2081728 ---- - products/rhel9/profiles/ospp.profile | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 244a421fb48..a7ba9532d2c 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -75,7 +75,6 @@ selections: - - sysctl_kernel_perf_event_paranoid - - sysctl_user_max_user_namespaces - - sysctl_kernel_unprivileged_bpf_disabled -- - sysctl_net_core_bpf_jit_harden - - service_kdump_disabled - - ### Audit - -From bdcd2bafe5dd68448c0fc13e1aa1be64df607c8f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 12 Jul 2022 11:24:42 +0200 -Subject: [PATCH 02/23] Rename IDs in sysctl OVAL template - -The sysctl template uses its sysctlvar parameter value as a part of OVAL -object IDs, test IDs and state IDs. That means we can't have multiple -rules using the sysctl template with the same value of sysctlvar -parameter (only differ in other parameters) because there would be -duplicate elements. We will fix this by using the rule ID as a part of -OVAL object IDs, test IDs and state IDs. That will allow to use the -template for the same sysctlvar in different rules. ---- - .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- - shared/templates/sysctl/oval.template | 156 +++++++++--------- - 2 files changed, 80 insertions(+), 80 deletions(-) - -diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -index 1195cea518f..f971d28a047 100644 ---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -@@ -19,8 +19,8 @@ - - - -- -- -+ -+ - - - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 74583dbee1d..52671c06402 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -5,8 +5,8 @@ - {{%- endif %}} - - {{% macro state_static_sysctld(prefix) -%}} -- -- -+ -+ - {{%- endmacro -%}} - {{%- macro sysctl_match() -%}} - {{%- if SYSCTLVAL == "" -%}} -@@ -20,13 +20,13 @@ - {{%- if "P" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - -+ definition_ref="{{{ rule_id }}}_static"/> - -+ definition_ref="{{{ rule_id }}}_runtime"/> - - - -@@ -34,7 +34,7 @@ - {{%- elif "I" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - {{% if product in ["ubuntu1604", "ubuntu1804"] %}} -@@ -46,9 +46,9 @@ - {{% endif %}} - - -+ definition_ref="{{{ rule_id }}}_static"/> - -+ definition_ref="{{{ rule_id }}}_runtime"/> - - - -@@ -58,33 +58,33 @@ - {{%- if "R" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} - - -+ test_ref="test_{{{ rule_id }}}_runtime"/> - - -- -- -- -+ -+ - - -- -+ - {{{ SYSCTLVAR }}} - - {{% if SYSCTLVAL == "" %}} -- -+ - -+ var_ref="{{{ rule_id }}}_value"/> - - -- - {{%- else %}} -- -+ - {{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} -@@ -100,46 +100,46 @@ - {{%- if "S" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} - - - -+ test_ref="test_{{{ rule_id }}}_static"/> - - -+ test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/> - -+ test_ref="test_{{{ rule_id }}}_static_run_sysctld"/> - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -+ test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/> - {{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} -- -+ - {{% endif %}} - - - -- - {{{ state_static_sysctld("sysctl") }}} - - -- - {{{ state_static_sysctld("etc_sysctld") }}} - - -- - {{{ state_static_sysctld("run_sysctld") }}} - - - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- - {{{ state_static_sysctld("usr_lib_sysctld") }}} -@@ -148,79 +148,79 @@ - - {{% if target_oval_version >= [5, 11] %}} - -- -- -+ id="test_{{{ rule_id }}}_defined_in_one_file" version="1"> -+ -+ - - -- -- local_var_unique_sysctl_{{{ SYSCTLID }}}_counter -+ -+ local_var_{{{ rule_id }}}_counter - - -- -+ - 1 - - -- -+ - - -- -+ - - - - -- -+ - -- object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}} -- state_{{{ SYSCTLID }}}_filepath_is_symlink -+ object_{{{ rule_id }}}_static_set_sysctls_unfiltered -+ state_{{{ rule_id }}}_filepath_is_symlink - - - -- -- -+ -+ - - -- -+ - -- -+ - -- -+ - - - -- -+ - -- var_obj_symlink_{{{ SYSCTLID }}} -- var_obj_blank_{{{ SYSCTLID }}} -+ var_obj_symlink_{{{ rule_id }}} -+ var_obj_blank_{{{ rule_id }}} - - - -- -- local_var_blank_path_{{{ SYSCTLID }}} -+ -+ local_var_blank_path_{{{ rule_id }}} - - -- -+ - - - -- -- local_var_symlinks_{{{ SYSCTLID }}} -+ -+ local_var_symlinks_{{{ rule_id }}} - -- -+ - -- -+ - -- -+ - - - - -- -- -- state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}} -+ -+ -+ state_symlink_points_outside_usual_dirs_{{{ rule_id }}} - - - -- -+ - ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ - - {{% endif %}} - -- -- -+ -+ - - - -- -+ - -- object_static_etc_sysctls_{{{ SYSCTLID }}} -- object_static_run_usr_sysctls_{{{ SYSCTLID }}} -+ object_static_etc_sysctls_{{{ rule_id }}} -+ object_static_run_usr_sysctls_{{{ rule_id }}} - - - -- -+ - -- object_static_sysctl_{{{ SYSCTLID }}} -- object_static_etc_sysctld_{{{ SYSCTLID }}} -+ object_static_sysctl_{{{ rule_id }}} -+ object_static_etc_sysctld_{{{ rule_id }}} - - - -- -+ - -- object_static_run_sysctld_{{{ SYSCTLID }}} -+ object_static_run_sysctld_{{{ rule_id }}} - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- object_static_usr_lib_sysctld_{{{ SYSCTLID }}} -+ object_static_usr_lib_sysctld_{{{ rule_id }}} - {{% endif %}} - - - -- -+ - /etc/sysctl.conf - {{{ sysctl_match() }}} - - -- -+ - /etc/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - -- -+ - /run/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- -+ - /usr/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} -@@ -288,15 +288,15 @@ - {{% endif %}} - {{% if SYSCTLVAL == "" %}} - -- -- -+ - - -- - {{% else %}} -- -+ - {{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} - {{% else %}} - -From ee5d91aaf33504e56b6959c17c8ebc6006a17a5f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 10:16:45 +0200 -Subject: [PATCH 03/23] Use a list of values in sysctl template - -This patch adds an ability to use a list of values instead of a single -value in the sysctlval parameter of the sysctl template. This is useful -for situations when we want to create a rule that passes for multiple -different sysctl values. This commit modifies the OVAL for the runtime -configuration. The runtime configuration will be allowed to be any of -the values in the list. There is an OR relation between the values. In -fact, this is a first step to enable multiple values in the sysctlval -parameter in the sysctl template, because we will also need to check the -static configuration, which is not done in this commit. ---- - shared/templates/sysctl/oval.template | 32 +++++++++++++++++++++++++++ - shared/templates/sysctl/template.py | 24 ++++++++++++-------- - 2 files changed, 47 insertions(+), 9 deletions(-) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 52671c06402..b73ccc94f72 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -1,5 +1,7 @@ - {{%- if SYSCTLVAL == "" %}} - {{%- set COMMENT_VALUE="the appropriate value" %}} -+{{%- elif SYSCTLVAL is sequence %}} -+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} - {{%- else %}} - {{%- set COMMENT_VALUE=SYSCTLVAL %}} - {{%- endif %}} -@@ -60,21 +62,43 @@ - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} -+{{% if SYSCTLVAL is string %}} - - - -+{{% elif SYSCTLVAL is sequence %}} -+ -+{{% for x in SYSCTLVAL %}} -+ -+{{% endfor %}} -+ -+{{% endif %}} - -+ -+{{% if SYSCTLVAL is string %}} - - - - -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ -+ -+ -+{{% endfor %}} -+{{% endif %}} - - - {{{ SYSCTLVAR }}} - -+{{% if SYSCTLVAL is string %}} - {{% if SYSCTLVAL == "" %}} - - - {{%- endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ {{{ x }}} -+ -+{{% endfor %}} -+{{% endif %}} - - - {{%- endif -%}} -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index fa981a9dce9..c62591357c0 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -12,6 +12,13 @@ def preprocess(data, lang): - if "operation" not in data: - data["operation"] = "equals" - -+ if data["datatype"] not in ["string", "int"]: -+ raise ValueError( -+ "Test scenarios for data type '{0}' are not implemented yet.\n" -+ "Please check if rule '{1}' has correct data type and edit " -+ "{2} to add tests for it.".format( -+ data["datatype"], data["_rule_id"], __file__)) -+ - # Configure data for test scenarios - if data["sysctlval"] == "": - if data["datatype"] == "int": -@@ -20,20 +27,19 @@ def preprocess(data, lang): - elif data["datatype"] == "string": - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" -- else: -+ elif isinstance(data["sysctlval"], list): -+ if len(data["sysctlval"]) == 0: - raise ValueError( -- "Test scenarios for data type '{0}' are not implemented yet.\n" -- "Please check if rule '{1}' has correct data type and edit " -- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) -+ "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) -+ data["sysctl_correct_value"] = data["sysctlval"][0] -+ if data["datatype"] == "int": -+ data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] -+ elif data["datatype"] == "string": -+ data["sysctl_wrong_value"] = "wrong_value" - else: - data["sysctl_correct_value"] = data["sysctlval"] - if data["datatype"] == "int": - data["sysctl_wrong_value"] = "1" + data["sysctlval"] - elif data["datatype"] == "string": - data["sysctl_wrong_value"] = "wrong_value" -- else: -- raise ValueError( -- "Test scenarios for data type '{0}' are not implemented yet.\n" -- "Please check if rule '{1}' has correct data type and edit " -- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) - return data - -From c50304234dfac1dcd74b3056c978eec2c097216d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 10:47:51 +0200 -Subject: [PATCH 04/23] Move check unrelated to the test scenarios - -The check for an mepty list is unrelated to the test scenarios, -rather is a generic check to avoid problems during the build. -Therefore, it shouldn't be inside code block that is handling -data for test scenarios, but can be extracted to a sooner position. ---- - shared/templates/sysctl/template.py | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index c62591357c0..421e42c6ca1 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -11,7 +11,12 @@ def preprocess(data, lang): - data["flags"] = "SR" + ipv6_flag - if "operation" not in data: - data["operation"] = "equals" -+ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: -+ raise ValueError( -+ "The sysctlval parameter of {0} is an empty list".format( -+ data["_rule_id"])) - -+ # Configure data for test scenarios - if data["datatype"] not in ["string", "int"]: - raise ValueError( - "Test scenarios for data type '{0}' are not implemented yet.\n" -@@ -19,7 +24,6 @@ def preprocess(data, lang): - "{2} to add tests for it.".format( - data["datatype"], data["_rule_id"], __file__)) - -- # Configure data for test scenarios - if data["sysctlval"] == "": - if data["datatype"] == "int": - data["sysctl_correct_value"] = "0" -@@ -28,9 +32,6 @@ def preprocess(data, lang): - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" - elif isinstance(data["sysctlval"], list): -- if len(data["sysctlval"]) == 0: -- raise ValueError( -- "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) - data["sysctl_correct_value"] = data["sysctlval"][0] - if data["datatype"] == "int": - data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] - -From eb1fe4f349e2dcadd9b870e074e679383601be62 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 11:57:50 +0200 -Subject: [PATCH 05/23] Allow multiple values in sysctl static configuration - -This extends the OVAL checks for sysctl static configuration -to enable a list of values instead of a single value in the -sysctlval parameter of the sysctl template. The template -will generate OVAL tests for each value in the sysctlval -list. ---- - shared/templates/sysctl/oval.template | 56 +++++++++++++++++++++++++++ - 1 file changed, 56 insertions(+) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index b73ccc94f72..4e1bf3cfce3 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -136,6 +136,7 @@ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} - - -+{{% if SYSCTLVAL is string %}} - - -@@ -146,6 +147,21 @@ - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -+{{% endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ -+ -+ -+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -+ -+{{% endif %}} -+{{% endfor %}} - {{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} -@@ -154,6 +170,7 @@ - - - -+{{% if SYSCTLVAL is string %}} - -@@ -177,6 +194,37 @@ - {{{ state_static_sysctld("usr_lib_sysctld") }}} - - {{% endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -+ -+ -+ -+ -+{{% endif %}} -+{{% endfor %}} -+{{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} - - {{% endif %}} -+{{% if SYSCTLVAL is string %}} - {{% if SYSCTLVAL == "" %}} - - -@@ -336,5 +385,12 @@ - {{% endif %}} - - {{% endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ {{{ x }}} -+ -+{{% endfor %}} -+{{% endif %}} - - {{%- endif -%}} - -From 93d496fb8dda6c47707e27c0b2cad15616261f27 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 14:55:28 +0200 -Subject: [PATCH 06/23] Add option to allow system default - -Introduce new template option `missing_static_pass` to the -systemctl template. If this option is set to `"true"` in rule.yml -the OVAL will be generated in a way that the check will pass if -there is no sysctl static configuration option in the watched sysctl -configuration files. In other words, the OVAL check will pass if -the system default isn't overridden. ---- - shared/templates/sysctl/oval.template | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 4e1bf3cfce3..1719a59f9c7 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -134,6 +134,9 @@ - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} -+{{% if MISSING_STATIC_PASS == "true" %}} -+ -+{{% endif %}} - - - {{% if SYSCTLVAL is string %}} -@@ -168,8 +171,20 @@ - - {{% endif %}} - -+{{% if MISSING_STATIC_PASS == "true" %}} -+ -+ -+{{% endif %}} - - -+{{% if MISSING_STATIC_PASS == "true" %}} -+ -+ -+ -+{{% endif %}} -+ - {{% if SYSCTLVAL is string %}} - -Date: Wed, 13 Jul 2022 17:02:35 +0200 -Subject: [PATCH 07/23] Accept multiple values in the sysctl remediation - -A new parameter sysctlval_remediate is introduced to the sysctl -template. This allows to choose which of the multiple values in -the sysctl list will be used in the Bash and Ansible remediations. ---- - docs/templates/template_reference.md | 8 ++++++++ - shared/templates/sysctl/ansible.template | 6 +++--- - shared/templates/sysctl/bash.template | 10 +++++----- - shared/templates/sysctl/template.py | 9 +++++++++ - 4 files changed, 25 insertions(+), 8 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index a439e3dca94..5785f1d453f 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -818,6 +818,14 @@ The selected value can be changed in the profile (consult the actual variable fo - - **sysctlval** - value of the sysctl value, eg. `'1'`. If this - parameter is not specified, XCCDF Value is used instead. - -+ - **sysctlval_remediate** - the value that will be used in remediations. -+ If **sysctlval_remediate** is not specified, the template will use the -+ value of the **sysctlval** parameter in the remediations. -+ This parameter is mandatory when the **sysctlval** parameter is a list -+ because we need to know which of the values in the list the system -+ should be remedied to. When the **sysctlval** parameter is not a list -+ this parameter is optional. -+ - - **operation** - operation used for comparison of collected object - with **sysctlval**. Default value: `equals`. - -diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template -index c13bb6637fe..7724db5e5ff 100644 ---- a/shared/templates/sysctl/ansible.template -+++ b/shared/templates/sysctl/ansible.template -@@ -21,7 +21,7 @@ - replace: '#{{{ SYSCTLVAR }}}' - loop: "{{ find_sysctl_d.files }}" - --{{%- if SYSCTLVAL == "" %}} -+{{%- if SYSCTLVAL_REMEDIATE == "" %}} - - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - - - name: Ensure sysctl {{{ SYSCTLVAR }}} is set -@@ -29,10 +29,10 @@ - name: "{{{ SYSCTLVAR }}}" - value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" - {{%- else %}} --- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} -+- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} - sysctl: - name: "{{{ SYSCTLVAR }}}" -- value: "{{{ SYSCTLVAL }}}" -+ value: "{{{ SYSCTLVAL_REMEDIATE }}}" - {{%- endif %}} - state: present - reload: yes -diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index d67a59c3886..63948bd5a26 100644 ---- a/shared/templates/sysctl/bash.template -+++ b/shared/templates/sysctl/bash.template -@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do - fi - done - --{{%- if SYSCTLVAL == "" %}} -+{{%- if SYSCTLVAL_REMEDIATE == "" %}} - {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} - - # -@@ -38,11 +38,11 @@ done - # - # Set runtime for {{{ SYSCTLVAR }}} - # --/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" -+/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" - - # --# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" --# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf -+# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" -+# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf - # --{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} -+{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} - {{%- endif %}} -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index 421e42c6ca1..2574d5d42b0 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -16,6 +16,15 @@ def preprocess(data, lang): - "The sysctlval parameter of {0} is an empty list".format( - data["_rule_id"])) - -+ if not data.get("sysctlval_remediate"): -+ if isinstance(data["sysctlval"], list): -+ raise ValueError( -+ "Problem with rule {0}: the 'sysctlval' parameter is a list " -+ "but we are missing the 'sysctlval_remediate' parameter, so " -+ "we don't know how to generate remediation content.".format( -+ data["_rule_id"])) -+ data["sysctlval_remediate"] = data["sysctlval"] -+ - # Configure data for test scenarios - if data["datatype"] not in ["string", "int"]: - raise ValueError( - -From 8a3ba3f74760b360e179da221acf7bb06f4bdc12 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 17:10:16 +0200 -Subject: [PATCH 08/23] Introduce new rule - sysctl_kernel_unprivileged_bpf_disabled_accept_default - -This rule is very similar to the existing rule -sysctl_kernel_unprivileged_bpf_disabled, but it allows the sysctl -setting kernel.unprivileged_bpf_disabled to be either 1 or 2. Also, the -rule will pass when the explicit configuration isn't present, allowing -to honor the system's default value which is 2. The goal of this rule is -to prevent unnecessary modification of the RHEL system default value -while still checking for the secure configuration. - -See the explanation in -https://bugzilla.redhat.com/show_bug.cgi?id=2081728: -sysctl_kernel_unprivileged_bpf_disabled sets the -kernel.unprivileged_bpf_disabled value to 1. However, on RHEL 9 the -kernel supports new value 2 which per -https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled -makes it for a privileged admin to re-enable unprivileged BPF. The value -2 is also the RHEL 9 default. So the current -sysctl_kernel_unprivileged_bpf_disabled rule unnecessarily modifies -the RHEL 9 default. ---- - .../rule.yml | 82 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 1 - - 2 files changed, 82 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -new file mode 100644 -index 00000000000..f45769dd2d0 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -0,0 +1,82 @@ -+documentation_complete: true -+ -+prodtype: rhel9 -+ -+title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' -+ -+description: |- -+ To prevent unprivileged processes from using the bpf() syscall -+ the kernel.unprivileged_bpf_disabled kernel parameter must -+ be set to 1 or 2. -+ -+ Writing 1 to this entry will disable unprivileged calls to bpf(); once -+ disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. -+ Once set to 1, this can't be cleared from the running kernel anymore. -+ -+ Writing 2 to this entry will also disable unprivileged calls to bpf(), -+ however, an admin can still change this setting later on, if needed, by -+ writing 0 or 1 to this entry. -+ -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} -+ -+rationale: |- -+ Loading and accessing the packet filters programs and maps using the bpf() -+ syscall has the potential of revealing sensitive information about the kernel state. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel9: CCE-87712-6 -+ -+references: -+ disa: CCI-000366 -+ nist: AC-6,SC-7(10) -+ ospp: FMT_SMF_EXT.1 -+ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 -+ stigid@ol8: OL08-00-040281 -+ stigid@rhel8: RHEL-08-040281 -+ -+ocil: |- -+ The runtime status of the kernel.unprivileged_bpf_disabled -+ kernel parameter can be queried by running the following command: -+
$ sysctl kernel.unprivileged_bpf_disabled
-+ The output of the command should indicate either: -+ kernel.unprivileged_bpf_disabled = 1 -+ or: -+ kernel.unprivileged_bpf_disabled = 2 -+ The output of the command should not indicate: -+ kernel.unprivileged_bpf_disabled = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent kernel parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ kernel.unprivileged_bpf_disabled = 1 -+ or: -+ kernel.unprivileged_bpf_disabled = 2 -+ -+ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. -+ -+ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" -+ -+fixtext: |- -+ Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. -+ -+srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' -+ -+platform: machine -+ -+template: -+ name: sysctl -+ vars: -+ sysctlvar: kernel.unprivileged_bpf_disabled -+ sysctlval: -+ - '1' -+ - '2' -+ sysctlval_remediate: "2" -+ missing_static_pass: "true" -+ datatype: int -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 914233f06bf..2c2cf12cafe 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -1435,7 +1435,6 @@ CCE-87708-4 - CCE-87709-2 - CCE-87710-0 - CCE-87711-8 --CCE-87712-6 - CCE-87713-4 - CCE-87714-2 - CCE-87715-9 - -From 0327b48990c2cf35aeff8adf63a2102378e43c54 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Jul 2022 17:21:50 +0200 -Subject: [PATCH 09/23] Add test scenarios for rule - sysctl_kernel_unprivileged_bpf_disabled_accept_default - ---- - .../tests/system_default.pass.sh | 5 +++++ - .../tests/test_config.yml | 6 ++++++ - .../tests/value_0.fail.sh | 11 +++++++++++ - .../tests/value_1.pass.sh | 11 +++++++++++ - .../tests/value_2.pass.sh | 11 +++++++++++ - 5 files changed, 44 insertions(+) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh -new file mode 100644 -index 00000000000..b9776227bdb ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -new file mode 100644 -index 00000000000..dbac89b4caa ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -@@ -0,0 +1,6 @@ -+deny_templated_scenarios: -+ - line_not_there.fail.sh -+ - comment.fail.sh -+ - wrong_value.fail.sh -+ - wrong_value_d_directory.fail.sh -+ - wrong_runtime.fail.sh -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh -new file mode 100644 -index 00000000000..9f19e0140b4 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="0" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh -new file mode 100644 -index 00000000000..e976db594c8 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="1" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh -new file mode 100644 -index 00000000000..b1537175eb4 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="2" - -From 52415b3effb7bf80038b8d866982fd44c8c45312 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 09:14:53 +0200 -Subject: [PATCH 10/23] Use rule - sysctl_kernel_unprivileged_bpf_disabled_accept_default - -Use rule sysctl_kernel_unprivileged_bpf_disabled_accept_default -instead of the rule sysctl_kernel_unprivileged_bpf_disabled -in the RHEL 9 OSPP profile. ---- - products/rhel9/profiles/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index a7ba9532d2c..19e4878c4b0 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -74,7 +74,7 @@ selections: - - sysctl_kernel_yama_ptrace_scope - - sysctl_kernel_perf_event_paranoid - - sysctl_user_max_user_namespaces -- - sysctl_kernel_unprivileged_bpf_disabled -+ - sysctl_kernel_unprivileged_bpf_disabled_accept_default - - service_kdump_disabled - - ### Audit - -From 4ff536a006a9d25c9c90a1b1e5fce0f957c51c28 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 09:25:26 +0200 -Subject: [PATCH 11/23] Document that sysctlval can be a list - ---- - docs/templates/template_reference.md | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 5785f1d453f..716407fd5c9 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -815,7 +815,8 @@ The selected value can be changed in the profile (consult the actual variable fo - - - **datatype** - data type of the sysctl value, eg. `int`. - -- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this -+ - **sysctlval** - value of the sysctl value. This can be either an atomic -+ value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this - parameter is not specified, XCCDF Value is used instead. - - - **sysctlval_remediate** - the value that will be used in remediations. - -From df27fec11a6e8037288ee8cf5b7bfc7d05537f33 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 11:00:59 +0200 -Subject: [PATCH 12/23] Document the missing_static_pass option - ---- - docs/templates/template_reference.md | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 716407fd5c9..65da697b808 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -827,6 +827,11 @@ The selected value can be changed in the profile (consult the actual variable fo - should be remedied to. When the **sysctlval** parameter is not a list - this parameter is optional. - -+ - **missing_static_pass** - if set to `true` the check will pass if the -+ setting for the given **sysctlvar** is not present in sysctl -+ configuration files. In other words, the check will pass if the system -+ default isn't overriden by configuration. Default value: `false`. -+ - - **operation** - operation used for comparison of collected object - with **sysctlval**. Default value: `equals`. - - -From e8b8497d32d84282d7f34d83f3661c02235d33cb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 11:03:53 +0200 -Subject: [PATCH 13/23] Introduce sysctlval_wrong parameter - -When the `sysctalval` parameter is a list, this parameter will be -substitued into the SYSCTL_WRONG_VALUE parameter in test scenarios. This -is better than current computing of the SYSCTL_WRONG_VALUE parameter -which is done by prepending "1" to the string value, because the -computed value could be invalid and the `sysctl -w` command used in the -test scenario wrong_runtime.fail.sh could fail to set the value to -SYSCTL_WRONG_VALUE therefore not changing the runtime. If at the same -time the `missing_static_pass` is set to `true` and the system is set to -system default, then the unchanged runtime would cause the check to pass -and therefore the test scenario wrong_runtime.fail.sh to error. ---- - docs/templates/template_reference.md | 3 +++ - .../rule.yml | 1 + - shared/templates/sysctl/template.py | 7 ++----- - 3 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 65da697b808..7e1fc7049cf 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -827,6 +827,9 @@ The selected value can be changed in the profile (consult the actual variable fo - should be remedied to. When the **sysctlval** parameter is not a list - this parameter is optional. - -+ - **sysctlval_wrong** - the value that is always wrong. This will be used -+ only in the test scenarios only if **sysctlval** is a list. -+ - - **missing_static_pass** - if set to `true` the check will pass if the - setting for the given **sysctlvar** is not present in sysctl - configuration files. In other words, the check will pass if the system -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index f45769dd2d0..ddff15dff8f 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -78,5 +78,6 @@ template: - - '1' - - '2' - sysctlval_remediate: "2" -+ sysctlval_wrong: "0" - missing_static_pass: "true" - datatype: int -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index 2574d5d42b0..96663694997 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -41,11 +41,8 @@ def preprocess(data, lang): - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" - elif isinstance(data["sysctlval"], list): -- data["sysctl_correct_value"] = data["sysctlval"][0] -- if data["datatype"] == "int": -- data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] -- elif data["datatype"] == "string": -- data["sysctl_wrong_value"] = "wrong_value" -+ data["sysctl_correct_value"] = data["sysctlval_remediate"] -+ data["sysctl_wrong_value"] = data["sysctlval_wrong"] - else: - data["sysctl_correct_value"] = data["sysctlval"] - if data["datatype"] == "int": - -From 5f391a7053f7ce18dd34c45a1d319d65b78348d4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 14 Jul 2022 11:23:59 +0200 -Subject: [PATCH 14/23] Change test_config.yml - ---- - .../tests/test_config.yml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -index dbac89b4caa..c379680e25c 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -@@ -1,6 +1,6 @@ - deny_templated_scenarios: -+ # this rule uses missing_static_pass: true which means the check should pass -+ # if the configuration is missing (or commented out) therefore we disable -+ # line_not_there.fail.sh and comment.fail.sh test scenarios - - line_not_there.fail.sh - - comment.fail.sh -- - wrong_value.fail.sh -- - wrong_value_d_directory.fail.sh -- - wrong_runtime.fail.sh - -From 92207a9bd11df0e69bf732e27fb91e5db270f7f6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 15 Jul 2022 10:36:05 +0200 -Subject: [PATCH 15/23] Simplify sysctl template - -Instead of using multiple OVAL tests in OR relation we can have -a single OVAL test containing multiple OVAL states in OR relation. -That will simplify the code. ---- - shared/templates/sysctl/oval.template | 82 +++++---------------------- - 1 file changed, 13 insertions(+), 69 deletions(-) - -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 1719a59f9c7..8241c391ad2 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -8,7 +8,13 @@ - - {{% macro state_static_sysctld(prefix) -%}} - -+{{% if SYSCTLVAL is string %}} - -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+{{% endfor %}} -+{{% endif %}} - {{%- endmacro -%}} - {{%- macro sysctl_match() -%}} - {{%- if SYSCTLVAL == "" -%}} -@@ -62,38 +68,24 @@ - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} --{{% if SYSCTLVAL is string %}} - - - --{{% elif SYSCTLVAL is sequence %}} -- --{{% for x in SYSCTLVAL %}} -- --{{% endfor %}} -- --{{% endif %}} - - --{{% if SYSCTLVAL is string %}} - -+ check="all" check_existence="all_exist" state_operator="OR"> - -+{{% if SYSCTLVAL is string %}} - -- - {{% elif SYSCTLVAL is sequence %}} - {{% for x in SYSCTLVAL %}} -- -- - -- - {{% endfor %}} - {{% endif %}} -+ - - - {{{ SYSCTLVAR }}} -@@ -139,7 +131,6 @@ - {{% endif %}} - - --{{% if SYSCTLVAL is string %}} - - -@@ -150,21 +141,6 @@ - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - --{{% endif %}} --{{% elif SYSCTLVAL is sequence %}} --{{% for x in SYSCTLVAL %}} -- -- -- -- --{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- --{{% endif %}} --{{% endfor %}} - {{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} -@@ -185,61 +161,29 @@ -
- {{% endif %}} - --{{% if SYSCTLVAL is string %}} - -+ comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR"> - {{{ state_static_sysctld("sysctl") }}} - - - -+ comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR"> - {{{ state_static_sysctld("etc_sysctld") }}} - - - -+ comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR"> - {{{ state_static_sysctld("run_sysctld") }}} - - - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -+ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> - {{{ state_static_sysctld("usr_lib_sysctld") }}} - - {{% endif %}} --{{% elif SYSCTLVAL is sequence %}} --{{% for x in SYSCTLVAL %}} -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- -- -- -- --{{% endif %}} --{{% endfor %}} --{{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} - -Date: Mon, 25 Jul 2022 15:40:24 +0200 -Subject: [PATCH 16/23] Replace the sysctlval_remediate template parameter - -Replace the sysctlval_remediate template parameter by using an XCCDF -value. The variable would be only used in the remediation and would -allow users to tailor the value, instead of the current solution where -the value is hardcoded and can be only changed during build time. ---- - docs/templates/template_reference.md | 21 +++++++++---------- - .../rule.yml | 1 - - products/rhel9/profiles/ospp.profile | 1 + - shared/templates/sysctl/ansible.template | 6 +++--- - shared/templates/sysctl/bash.template | 10 ++++----- - shared/templates/sysctl/template.py | 11 +--------- - 6 files changed, 20 insertions(+), 30 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 7e1fc7049cf..00f991daae7 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -815,17 +815,16 @@ The selected value can be changed in the profile (consult the actual variable fo - - - **datatype** - data type of the sysctl value, eg. `int`. - -- - **sysctlval** - value of the sysctl value. This can be either an atomic -- value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this -- parameter is not specified, XCCDF Value is used instead. -- -- - **sysctlval_remediate** - the value that will be used in remediations. -- If **sysctlval_remediate** is not specified, the template will use the -- value of the **sysctlval** parameter in the remediations. -- This parameter is mandatory when the **sysctlval** parameter is a list -- because we need to know which of the values in the list the system -- should be remedied to. When the **sysctlval** parameter is not a list -- this parameter is optional. -+ - **sysctlval** - value of the sysctl value. This can be either not -+ specified, or an atomic value, eg. `'1'`, or a list of values, -+ eg. `['1','2']`. -+ - If this parameter is not specified, an XCCDF Value is used instead -+ in OVAL check and remediations. -+ - If this parameter is set to an atomic value, this atomic value -+ will be used in OVAL check and remediations. -+ - If this parameter is set to a list of values, the list will be used -+ in the OVAL check, but won't be used in the remediations. -+ All remediations will use an XCCDF value instead. - - - **sysctlval_wrong** - the value that is always wrong. This will be used - only in the test scenarios only if **sysctlval** is a list. -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index ddff15dff8f..9936ed777c8 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -77,7 +77,6 @@ template: - sysctlval: - - '1' - - '2' -- sysctlval_remediate: "2" - sysctlval_wrong: "0" - missing_static_pass: "true" - datatype: int -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index 19e4878c4b0..b47630c62b0 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -75,6 +75,7 @@ selections: - - sysctl_kernel_perf_event_paranoid - - sysctl_user_max_user_namespaces - - sysctl_kernel_unprivileged_bpf_disabled_accept_default -+ - sysctl_kernel_unprivileged_bpf_disabled_value=2 - - service_kdump_disabled - - ### Audit -diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template -index 7724db5e5ff..edc4d3fb667 100644 ---- a/shared/templates/sysctl/ansible.template -+++ b/shared/templates/sysctl/ansible.template -@@ -21,7 +21,7 @@ - replace: '#{{{ SYSCTLVAR }}}' - loop: "{{ find_sysctl_d.files }}" - --{{%- if SYSCTLVAL_REMEDIATE == "" %}} -+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - - - name: Ensure sysctl {{{ SYSCTLVAR }}} is set -@@ -29,10 +29,10 @@ - name: "{{{ SYSCTLVAR }}}" - value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" - {{%- else %}} --- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} -+- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} - sysctl: - name: "{{{ SYSCTLVAR }}}" -- value: "{{{ SYSCTLVAL_REMEDIATE }}}" -+ value: "{{{ SYSCTLVAL }}}" - {{%- endif %}} - state: present - reload: yes -diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index 63948bd5a26..cd3424b0228 100644 ---- a/shared/templates/sysctl/bash.template -+++ b/shared/templates/sysctl/bash.template -@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do - fi - done - --{{%- if SYSCTLVAL_REMEDIATE == "" %}} -+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} - - # -@@ -38,11 +38,11 @@ done - # - # Set runtime for {{{ SYSCTLVAR }}} - # --/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" -+/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" - - # --# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" --# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf -+# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" -+# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf - # --{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} -+{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} - {{%- endif %}} -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index 96663694997..2b779f99a62 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -16,15 +16,6 @@ def preprocess(data, lang): - "The sysctlval parameter of {0} is an empty list".format( - data["_rule_id"])) - -- if not data.get("sysctlval_remediate"): -- if isinstance(data["sysctlval"], list): -- raise ValueError( -- "Problem with rule {0}: the 'sysctlval' parameter is a list " -- "but we are missing the 'sysctlval_remediate' parameter, so " -- "we don't know how to generate remediation content.".format( -- data["_rule_id"])) -- data["sysctlval_remediate"] = data["sysctlval"] -- - # Configure data for test scenarios - if data["datatype"] not in ["string", "int"]: - raise ValueError( -@@ -41,7 +32,7 @@ def preprocess(data, lang): - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" - elif isinstance(data["sysctlval"], list): -- data["sysctl_correct_value"] = data["sysctlval_remediate"] -+ data["sysctl_correct_value"] = data["sysctlval"][0] - data["sysctl_wrong_value"] = data["sysctlval_wrong"] - else: - data["sysctl_correct_value"] = data["sysctlval"] - -From 817b47544b4a62aad8153360839bb14dd607d46d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Jul 2022 15:47:11 +0200 -Subject: [PATCH 17/23] Rename a template parameter - -Rename the sysctlval_wrong parameter to wrong_sysctlval_for_testing ---- - docs/templates/template_reference.md | 4 ++-- - .../rule.yml | 2 +- - shared/templates/sysctl/template.py | 2 +- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 00f991daae7..4e6357c1579 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -826,8 +826,8 @@ The selected value can be changed in the profile (consult the actual variable fo - in the OVAL check, but won't be used in the remediations. - All remediations will use an XCCDF value instead. - -- - **sysctlval_wrong** - the value that is always wrong. This will be used -- only in the test scenarios only if **sysctlval** is a list. -+ - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used -+ only in the templated test scenarios only if **sysctlval** is a list. - - - **missing_static_pass** - if set to `true` the check will pass if the - setting for the given **sysctlvar** is not present in sysctl -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index 9936ed777c8..b8af4f7560d 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -77,6 +77,6 @@ template: - sysctlval: - - '1' - - '2' -- sysctlval_wrong: "0" -+ wrong_sysctlval_for_testing: "0" - missing_static_pass: "true" - datatype: int -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index 2b779f99a62..9083a6a4185 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -33,7 +33,7 @@ def preprocess(data, lang): - data["sysctl_wrong_value"] = "wrong_value" - elif isinstance(data["sysctlval"], list): - data["sysctl_correct_value"] = data["sysctlval"][0] -- data["sysctl_wrong_value"] = data["sysctlval_wrong"] -+ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] - else: - data["sysctl_correct_value"] = data["sysctlval"] - if data["datatype"] == "int": - -From ed48698e95f96891889fa2c2039172015ae9f069 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Jul 2022 15:56:26 +0200 -Subject: [PATCH 18/23] Rename parameter missing_static_pass - -Rename the parameter missing_static_pass to missing_parameter_pass -to make the naming consistent with other templates where a parameter -with a similar meaning exist. ---- - docs/templates/template_reference.md | 2 +- - .../rule.yml | 2 +- - .../tests/test_config.yml | 2 +- - shared/templates/sysctl/oval.template | 6 +++--- - 4 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 4e6357c1579..0fff58c0a23 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -829,7 +829,7 @@ The selected value can be changed in the profile (consult the actual variable fo - - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used - only in the templated test scenarios only if **sysctlval** is a list. - -- - **missing_static_pass** - if set to `true` the check will pass if the -+ - **missing_parameter_pass** - if set to `true` the check will pass if the - setting for the given **sysctlvar** is not present in sysctl - configuration files. In other words, the check will pass if the system - default isn't overriden by configuration. Default value: `false`. -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index b8af4f7560d..7d8769a913f 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -78,5 +78,5 @@ template: - - '1' - - '2' - wrong_sysctlval_for_testing: "0" -- missing_static_pass: "true" -+ missing_parameter_pass: "true" - datatype: int -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -index c379680e25c..5cf68074050 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -@@ -1,5 +1,5 @@ - deny_templated_scenarios: -- # this rule uses missing_static_pass: true which means the check should pass -+ # this rule uses missing_parameter_pass: true which means the check should pass - # if the configuration is missing (or commented out) therefore we disable - # line_not_there.fail.sh and comment.fail.sh test scenarios - - line_not_there.fail.sh -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 8241c391ad2..1a7c4979bbe 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -126,7 +126,7 @@ - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} --{{% if MISSING_STATIC_PASS == "true" %}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} - - {{% endif %}} - -@@ -147,13 +147,13 @@ - - {{% endif %}} - --{{% if MISSING_STATIC_PASS == "true" %}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} - - - {{% endif %}} - - --{{% if MISSING_STATIC_PASS == "true" %}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} - - -From f022f549c6d0b5bc0d24c5d1b7c606d23efbd6d2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 25 Jul 2022 16:26:03 +0200 -Subject: [PATCH 19/23] Add a variable - sysctl_kernel_unprivileged_bpf_disabled_value - ---- - ..._kernel_unprivileged_bpf_disabled_value.var | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -new file mode 100644 -index 00000000000..b8bf965a255 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -@@ -0,0 +1,18 @@ -+documentation_complete: true -+ -+title: kernel.unprivileged_bpf_disabled -+ -+description: |- -+ Prevent unprivileged processes from using the bpf() syscall. -+ -+type: number -+ -+operator: equals -+ -+interactive: false -+ -+options: -+ default: 2 -+ 0: "0" -+ 1: "1" -+ 2: "2" - -From 4c8ef02cc91c821d56c061f6d8e2ba1675d0c414 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 26 Jul 2022 09:36:09 +0200 -Subject: [PATCH 20/23] Improve documentation of the sysctl template - ---- - docs/templates/template_reference.md | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index 0fff58c0a23..e73b95450fe 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -819,15 +819,19 @@ The selected value can be changed in the profile (consult the actual variable fo - specified, or an atomic value, eg. `'1'`, or a list of values, - eg. `['1','2']`. - - If this parameter is not specified, an XCCDF Value is used instead -- in OVAL check and remediations. -+ in OVAL check and remediations. The XCCDF Value should have a file -+ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, -+ where the `escaped_sysctlvar` is a value of the **sysctlvar** -+ parameter in which all characters that don't match the `\w` regular -+ expression are replaced by an underscore (`_`). - - If this parameter is set to an atomic value, this atomic value - will be used in OVAL check and remediations. - - If this parameter is set to a list of values, the list will be used - in the OVAL check, but won't be used in the remediations. - All remediations will use an XCCDF value instead. - -- - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used -- only in the templated test scenarios only if **sysctlval** is a list. -+ - **wrong_sysctlval_for_testing** - the value that is always wrong. This -+ will be used in templated test scenarios when **sysctlval** is a list. - - - **missing_parameter_pass** - if set to `true` the check will pass if the - setting for the given **sysctlvar** is not present in sysctl - -From 0f89cab50807ecf75269acc49e0c290c139beea6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 26 Jul 2022 09:36:34 +0200 -Subject: [PATCH 21/23] Remove RHEL 8 STIG ID - ---- - .../rule.yml | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index 7d8769a913f..ec3b5aef82f 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -33,8 +33,6 @@ references: - nist: AC-6,SC-7(10) - ospp: FMT_SMF_EXT.1 - srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 -- stigid@ol8: OL08-00-040281 -- stigid@rhel8: RHEL-08-040281 - - ocil: |- - The runtime status of the kernel.unprivileged_bpf_disabled - -From 5c2116eb08b84c43d644f6ce51744732a63fb206 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 26 Jul 2022 09:36:47 +0200 -Subject: [PATCH 22/23] Fix a typo - ---- - .../rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index ec3b5aef82f..589deccb0c7 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -62,7 +62,7 @@ ocil: |- - ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" - - fixtext: |- -- Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. -+ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. - - srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' - - -From 22e5a11f3232234a939dc6a806752b1fa5c69ce4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 27 Jul 2022 10:36:04 +0200 -Subject: [PATCH 23/23] Mention both values 1 and 2 in the rule description - ---- - .../rule.yml | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -index 589deccb0c7..259d1f901c6 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -13,11 +13,13 @@ description: |- - disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. - Once set to 1, this can't be cleared from the running kernel anymore. - -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} -+ - Writing 2 to this entry will also disable unprivileged calls to bpf(), - however, an admin can still change this setting later on, if needed, by - writing 0 or 1 to this entry. - -- {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} - - rationale: |- - Loading and accessing the packet filters programs and maps using the bpf() diff --git a/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch b/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch new file mode 100644 index 0000000..eb63127 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch @@ -0,0 +1,106 @@ +From a8cea205d5f9f975ca03ef39e79d18698236cfe2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 13 Feb 2023 17:49:14 +0100 +Subject: [PATCH 3/5] Change custom zones check in firewalld_sshd_port_enabled + +Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch +Patch-status: Change custom zones check in firewalld_sshd_port_enabled +--- + .../oval/shared.xml | 68 +++++++++++++++---- + 1 file changed, 54 insertions(+), 14 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +index 4adef2e53f..d7c96665b4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +@@ -133,9 +133,10 @@ + OVAL resources in order to detect and assess only active zone, which are zones with at + least one NIC assigned to it. Since it was possible to easily have the list of active + zones, it was cumbersome to use that list in other OVAL objects without introduce a high +- level of complexity to make sure environments with multiple NICs and multiple zones are +- in use. So, in favor of simplicity and readbility it was decided to work with a static +- list. It means that, in the future, it is possible this list needs to be updated. --> ++ level of complexity to ensure proper assessment in environments where multiple NICs and ++ multiple zones are in use. So, in favor of simplicity and readbility it was decided to ++ work with a static list. It means that, in the future, it is possible this list needs to ++ be updated. --> + +@@ -145,23 +146,62 @@ + +- ++ +- +- +- ++ ++ ++ ++ ++ ++ var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count ++ ++ ++ ++ ++ ++ ++ + + +- /etc/firewalld/zones +- ^.*\.xml$ +- /zone/service[@name='ssh'] ++ /etc/firewalld/zones ++ ^.*\.xml$ ++ /zone/service[@name='ssh'] + + +- +- /zone/service[@name='ssh'] +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/firewalld/zones ++ ^.*\.xml$ ++ + + + +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- state_permissions_ignore_hidden_paths +- +- +- +- +- ^.*\/\..*$ +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfp_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfp_syslog_config +- +- +- +- +- +- object_var_rfp_include_config_regex +- object_var_rfp_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_permissions_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- false +- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204", "sle15", "sle12"] %}} +- true +- {{% else %}} +- false +- {{% endif %}} +- false +- false +- false +- false +- false +- +-
+diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +index 508ff73cde..042c35362d 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +@@ -1,18 +1,24 @@ ++{{%- if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204", "sle15", "sle12"] %}} ++ {{%- set rsyslog_perm='640' %}} ++{{%- else %}} ++ {{%- set rsyslog_perm='600' %}} ++{{%- endif %}} ++ + documentation_complete: true + + title: 'Ensure System Log Files Have Correct Permissions' + + description: |- + The file permissions for all log files written by rsyslog should +- be set to 600, or more restrictive. These log files are determined by the ++ be set to {{{ rsyslog_perm }}}, or more restrictive. These log files are determined by the + second part of each Rule line in /etc/rsyslog.conf and typically + all appear in /var/log. For each log file LOGFILE + referenced in /etc/rsyslog.conf, run the following command to + inspect the file's permissions: +
$ ls -l LOGFILE
+- If the permissions are not 600 or more restrictive, run the following ++ If the permissions are not {{{ rsyslog_perm }}} or more restrictive, run the following + command to correct this: +-
$ sudo chmod 0600 LOGFILE
" ++
$ sudo chmod {{{ rsyslog_perm }}} LOGFILE
" + + rationale: |- + Log files can contain valuable information regarding system +@@ -46,9 +52,23 @@ ocil_clause: 'the permissions are not correct' + + ocil: |- + The file permissions for all log files written by rsyslog should +- be set to 600, or more restrictive. These log files are determined by the ++ be set to {{{ rsyslog_perm }}}, or more restrictive. These log files are determined by the + second part of each Rule line in /etc/rsyslog.conf and typically + all appear in /var/log. To see the permissions of a given log + file, run the following command: +
$ ls -l LOGFILE
+- The permissions should be 600, or more restrictive. ++ The permissions should be {{{ rsyslog_perm }}}, or more restrictive. ++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: permissions ++ value: '0600' ++ value@debian10: '0640' ++ value@debian11: '0640' ++ value@sle12: '0640' ++ value@sle15: '0640' ++ value@ubuntu1604: '0640' ++ value@ubuntu1804: '0640' ++ value@ubuntu2004: '0640' ++ value@ubuntu2204: '0640' +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh +deleted file mode 100755 +index c27e7874d9..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh ++++ /dev/null +@@ -1,40 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +-# test $IncludeConfig with wildcard (*.conf) +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh +deleted file mode 100755 +index 124b5e863e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +-# test $IncludeConfig with wildcard (*.conf) +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh +deleted file mode 100755 +index a6ff6a1109..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh +deleted file mode 100755 +index 2ae5c89a4e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh ++++ /dev/null +@@ -1,40 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +deleted file mode 100755 +index a5a2f67fad..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ /dev/null +@@ -1,85 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 5 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[4]} +- +-# create test configuration files +-conf_subdir=${RSYSLOG_TEST_DIR}/subdir +-conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir +-mkdir ${conf_subdir} +-mkdir ${conf_hiddir} +- +-test_conf_in_subdir=${conf_subdir}/in_subdir.conf +-test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak +- +-test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf +-test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf +- +-cat << EOF > ${test_conf_in_subdir} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-cat << EOF > ${test_conf_name_bak} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-cat << EOF > ${test_conf_in_hiddir} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[3]} +-EOF +- +-cat << EOF > ${test_conf_dot_name} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[4]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}" mode="optional") +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +deleted file mode 100755 +index fe4db0a3c9..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ /dev/null +@@ -1,86 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 5 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]} +- +-# create test configuration files +-conf_subdir=${RSYSLOG_TEST_DIR}/subdir +-conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir +-mkdir ${conf_subdir} +-mkdir ${conf_hiddir} +- +-test_conf_in_subdir=${conf_subdir}/in_subdir.conf +-test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak +- +-test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf +-test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf +- +-cat << EOF > ${test_conf_in_subdir} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-cat << EOF > ${test_conf_name_bak} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-cat << EOF > ${test_conf_in_hiddir} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[3]} +-EOF +- +-cat << EOF > ${test_conf_dot_name} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[4]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}" mode="optional") +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh +deleted file mode 100755 +index eabcb21956..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh +deleted file mode 100755 +index 32cd4c334a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh +deleted file mode 100755 +index 357d4f9718..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh ++++ /dev/null +@@ -1,52 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0600 from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh +deleted file mode 100755 +index 7bdb830c00..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh ++++ /dev/null +@@ -1,53 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh +deleted file mode 100644 +index 9b0185c6b2..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh ++++ /dev/null +@@ -1,53 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create hidden test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh +deleted file mode 100644 +index b929f2a94a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh ++++ /dev/null +@@ -1,45 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# Skip creation test2 configuration file +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh +deleted file mode 100644 +index 2eb515a43e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh ++++ /dev/null +@@ -1,23 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[@]} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh +deleted file mode 100755 +index fd3f9e92ec..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_FAIL=0601 +- +-PERMS_PASS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh +deleted file mode 100644 +index 7a598626d0..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh ++++ /dev/null +@@ -1,22 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-source $SHARED/rsyslog_log_utils.sh +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod 0600 ${RSYSLOG_TEST_LOGS[0]} +-chmod 0601 ${RSYSLOG_TEST_LOGS[1]} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh +new file mode 100755 +index 0000000000..b3846fec47 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh +@@ -0,0 +1,25 @@ ++#!/bin/bash ++# platform = multi_platform_sle,multi_platform_ubuntu ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++CHATTR="chmod" ++ATTR_VALUE="0640" ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh +new file mode 100755 +index 0000000000..0b4cb5dce0 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh +@@ -0,0 +1,25 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++CHATTR="chmod" ++ATTR_VALUE="0400" ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh +deleted file mode 100755 +index fbdcd18f77..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh ++++ /dev/null +@@ -1,35 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with permissions 0600 in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 4 +- +-# setup all files with incorrect permission +-chmod 0601 "${RSYSLOG_TEST_LOGS[@]}" +- +-# setup the real logfile with correct permissions +-chmod $PERMS "${RSYSLOG_TEST_LOGS[0]}" +- +-# add rule with 0600 permissions log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +- *.* ${RSYSLOG_TEST_LOGS[1]} +- +-authpriv.* /nonexistent_file +- +-# *.* /irrelevant_file +- +-\$something /irrelevant_file +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh +deleted file mode 100755 +index 75e9558c63..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh ++++ /dev/null +@@ -1,34 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with permissions 0601 in rsyslog.conf fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log file and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with 0601 permissions log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-cron.* /nonexistent_file +- +- authpriv.* /irrelevant_file +- +-# *.* /irrelevant_file +- +-\$something /irrelevant_file +- +-something.* ${RSYSLOG_TEST_LOGS[2]} +- +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +index fc9e8844b6..81d6220415 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +@@ -20,7 +20,7 @@ + - name: '{{{ rule_title }}} - Get include files directives' + ansible.builtin.shell: | + set -o pipefail +- grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true ++ awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' {{ rsyslog_etc_config }} || true + register: rsyslog_new_inc + changed_when: False + +@@ -61,8 +61,9 @@ + - name: '{{{ rule_title }}} -Setup log files attribute' + ansible.builtin.file: + path: "{{ item }}" +- owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}' +- group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}' ++ {{{ 'owner: ' ~ VALUE if ATTRIBUTE == "owner" }}} ++ {{{- 'group: ' ~ VALUE if ATTRIBUTE == "groupowner" }}} ++ {{{- 'mode: ' ~ VALUE if ATTRIBUTE == "permissions" }}} + state: file + loop: "{{ log_files | list | flatten | unique }}" + failed_when: false +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +index ab4a563dc5..d6755d5692 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +@@ -48,7 +48,8 @@ do + # * Strip quotes and closing brackets from paths. + # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files + # * From the remaining valid rows select only fields constituting a log file path +- # Text file column is understood to represent a log file path if and only if all of the following are met: ++ # Text file column is understood to represent a log file path if and only if all of the ++ # following are met: + # * it contains at least one slash '/' character, + # * it is preceded by space + # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters +@@ -60,8 +61,8 @@ do + FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") + CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") + MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") +- # Since above sed command might return more than one item (delimited by newline), split the particular +- # matches entries into new array specific for this log file ++ # Since above sed command might return more than one item (delimited by newline), split ++ # the particular matches entries into new array specific for this log file + readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" + # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with + # items from newly created array for this log file +@@ -71,7 +72,8 @@ do + fi + done + +-# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly ++# Check for RainerScript action log format which might be also multiline so grep regex is a bit ++# curly: + # extract possibly multiline action omfile expressions + # extract File="logfile" expression + # match only "logfile" expression +@@ -82,22 +84,10 @@ do + LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") + done + +-FILE_PARAM="{{{ ATTRIBUTE }}}" +-FILE_CMD="" +-case "$FILE_PARAM" in +- "groupowner") +- FILE_CMD=$(which chgrp) +- ;; +- "owner") +- FILE_CMD=$(which chown) +- ;; +- *) +- echo -n "Not supported file attribute! " +- exit 1 +- ;; +-esac +- +-# Correct the form o ++# Ensure the correct attribute if file exists ++{{{ 'FILE_CMD="chown"' if ATTRIBUTE == "owner" }}} ++{{{- 'FILE_CMD="chgrp"' if ATTRIBUTE == "groupowner" }}} ++{{{- 'FILE_CMD="chmod"' if ATTRIBUTE == "permissions" }}} + for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" + do + # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing +@@ -105,6 +95,5 @@ do + then + continue + fi +- +- $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH" ++ $FILE_CMD "{{{ VALUE }}}" "$LOG_FILE_PATH" + done +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +index 4f288df1c9..243d678852 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +@@ -3,59 +3,57 @@ + {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} + + {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} +- ++ + {{% endif %}} +- ++ + +- +
+ +- +- +- ++ ++ + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ ++ operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + + ++ comment="rsyslog's include config values converted to regex."> + + + ++ object_ref="object_{{{ _RULE_ID }}}_include_config_value"/> + + + + +- +- ++ ++ + var_{{{ _RULE_ID }}}_include_config_regex + + +- ++ + ^/etc/rsyslog.conf$ + + +- ++ + var_{{{ _RULE_ID }}}_syslog_config + + +- +- ++ ++ + + object_var_{{{ _RULE_ID }}}_include_config_regex + object_var_{{{ _RULE_ID }}}_syslog_config +@@ -64,74 +62,72 @@ + + +- +- ++ ++ + + +- +- +- +- +- ^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ ++ ++ ++ ++ ++ ^\s*[^(\s|#|\$)]+\s+.*\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ + 1 +- state_{{{ _RULE_ID }}}_ownership_ignore_include_paths ++ state_{{{ _RULE_ID }}}_ignore_include_paths + + +- +- ++ ++ + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) + + + ++ retrieved from the different rsyslog configuration files. --> + +- ++ comment="File paths of all rsyslog log files"> ++ + + +- +- +- ++ ++ ++ + + + +- +- ++ ++ + + + + regular + {{% if ATTRIBUTE == "groupowner" %}} + {{{ VALUE }}} +- {{% else %}} ++ {{% elif ATTRIBUTE == "owner" %}} + {{{ VALUE }}} ++ {{% else %}} ++ {{{ STATEMODE | indent(4) }}} + {{% endif %}} + +- +
+diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.py b/shared/templates/rsyslog_logfiles_attributes_modify/template.py +new file mode 100644 +index 0000000000..9ea31c9a6b +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.py +@@ -0,0 +1,18 @@ ++def preprocess(data, lang): ++ if lang == "oval" and data["attribute"] == 'permissions': ++ # create STATEMODE used in the OVAL template by processing the octal permission and ++ # creating the equivalent permission fields of "unix:file_state" element. ++ mode = data["value"] ++ fields = [ ++ 'oexec', 'owrite', 'oread', 'gexec', 'gwrite', 'gread', ++ 'uexec', 'uwrite', 'uread', 'sticky', 'sgid', 'suid'] ++ mode_int = int(mode, 8) ++ mode_str = "" ++ for field in fields: ++ if mode_int & 0x01 == 0: ++ mode_str = ( ++ "false\n{mode_str}".format( ++ field=field, mode_str=mode_str)) ++ mode_int = mode_int >> 1 ++ data["statemode"] = mode_str.rstrip("\n") ++ return data +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index db7e5261eb..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,50 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +deleted file mode 100755 +index d79ae23cfc..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh ++++ /dev/null +@@ -1,50 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +deleted file mode 100644 +index 7869a180a8..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh ++++ /dev/null +@@ -1,75 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-{{% if ATTRIBUTE == "owner" %}} +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +-{{% else %}} +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +-{{% endif %}} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +deleted file mode 100755 +index e80395ca99..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh ++++ /dev/null +@@ -1,46 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index e7b4905dc5..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,63 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_ROOT=root +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +deleted file mode 100755 +index 6389e6ea3b..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ /dev/null +@@ -1,58 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +deleted file mode 100755 +index 6b81a77c2f..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh ++++ /dev/null +@@ -1,59 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +deleted file mode 100755 +index 78b105abf3..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh ++++ /dev/null +@@ -1,47 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +deleted file mode 100755 +index afce21fa27..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh ++++ /dev/null +@@ -1,30 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with root user in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with root user owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +similarity index 53% +rename from shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +index 1afe20823c..dc362ae003 100755 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +@@ -1,33 +1,31 @@ + #!/bin/bash + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + +-# Check if log file with non root user in rsyslog.conf fails. +- ++# Declare variables used for the tests and define the create_rsyslog_test_logs function + source $SHARED/rsyslog_log_utils.sh + + {{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" + CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} + CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" + {{% endif %}} + +-USER=testssg +- +-$ADDCOMMAND $USER +- +-# setup test data ++# create one test log file + create_rsyslog_test_logs 1 + +-# setup test log file ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} + +-# add rule with non-root user owned log file ++# add rule with test log file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[0]} ++ + EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +similarity index 51% +rename from shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +index b03268fe3e..c742f41039 100755 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +@@ -1,45 +1,45 @@ + #!/bin/bash + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + +-# Check rsyslog.conf with root user log from rules and +-# root user log from $IncludeConfig passes. +- ++# Declare variables used for the tests and define the create_rsyslog_test_logs function + source $SHARED/rsyslog_log_utils.sh + + {{% if ATTRIBUTE == "owner" %}} + CHATTR="chown" +-{{% else %}} ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} + CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" + {{% endif %}} + +-USER=root +- +-# setup test data ++# create two test log file + create_rsyslog_test_logs 2 + +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} + +-# create test configuration file ++# create test configuration file with rule for second test log file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf + cat << EOF > ${test_conf} +-# rsyslog configuration file ++# rsyslog test configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[1]} ++ + EOF + +-# create rsyslog.conf configuration file ++# add rule with first test log file plus an include statement + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[0]} + + #### MODULES #### +- + \$IncludeConfig ${test_conf} ++ + EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..a12d0bc653 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh +@@ -0,0 +1,50 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..25430db033 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with non-root user owned log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh +new file mode 100755 +index 0000000000..c1c5758d80 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh +new file mode 100755 +index 0000000000..0235130534 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh +@@ -0,0 +1,58 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh +new file mode 100755 +index 0000000000..bed0afaf5e +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh +@@ -0,0 +1,63 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh +new file mode 100755 +index 0000000000..83c69b3a17 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh +@@ -0,0 +1,63 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh +new file mode 100755 +index 0000000000..43a6f2648d +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh +new file mode 100755 +index 0000000000..f459e7377b +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh +new file mode 100755 +index 0000000000..67193b69d8 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh +new file mode 100755 +index 0000000000..abdb09c485 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh +@@ -0,0 +1,31 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with test log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh +new file mode 100755 +index 0000000000..8b73578e39 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh +@@ -0,0 +1,45 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include(file="${test_conf}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..4c25c09e2e +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh +@@ -0,0 +1,50 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include(file="${test_conf}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh +new file mode 100755 +index 0000000000..508a5cf6eb +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh +@@ -0,0 +1,47 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include( ++ file="${test_conf}" ++) ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..49fada4cd4 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh +@@ -0,0 +1,52 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include( ++ file="${test_conf}" ++) ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..b17eb6b744 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with non-root user owned log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++EOF +-- +2.39.1 + diff --git a/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch b/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch new file mode 100644 index 0000000..80bcc2f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch @@ -0,0 +1,1950 @@ +From b8d2b568eb07b10f8a51f1327e399303bc06528d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 13 Feb 2023 17:49:12 +0100 +Subject: [PATCH 1/5] Rsyslog files rules remediations + +Patch-name: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch +Patch-status: Rsyslog files rules remediations +--- + controls/cis_sle12.yml | 4 +- + controls/cis_sle15.yml | 4 +- + .../file_groupowner_logfiles_value.var | 18 --- + .../oval/shared.xml | 116 --------------- + .../rsyslog_files_groupownership/rule.yml | 39 ++++- + .../tests/IncludeConfig_is_other.fail.sh | 42 ------ + .../tests/IncludeConfig_is_root.pass.sh | 39 ----- + .../tests/include_is_other.fail.sh | 42 ------ + .../tests/include_is_root.pass.sh | 39 ----- + .../tests/include_multiline_is_root.pass.sh | 41 ------ + .../tests/is_other.fail.sh | 25 ---- + .../tests/is_root.pass.sh | 24 --- + .../rsyslog_files_ownership/oval/shared.xml | 114 --------------- + .../rsyslog_files_ownership/rule.yml | 44 +++++- + .../ansible/shared.yml | 12 ++ + .../rsyslog_logging_configured/bash/shared.sh | 7 + + .../oval/shared.xml | 41 ++++++ + .../rsyslog_logging_configured/rule.yml | 34 +++++ + ...with_everything_logged_to_messages.pass.sh | 13 ++ + .../rsyslog_file_with_no_logging.fail.sh | 12 ++ + .../profiles/anssi_np_nt28_average.profile | 2 - + products/debian10/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/debian11/profiles/standard.profile | 2 - + products/rhel7/profiles/rht-ccp.profile | 2 - + products/rhel8/profiles/rht-ccp.profile | 2 - + .../profiles/anssi_bp28_intermediary.profile | 1 + + products/sle15/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/ubuntu1604/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/ubuntu1804/profiles/standard.profile | 2 - + products/ubuntu2004/profiles/standard.profile | 2 - + products/ubuntu2204/profiles/standard.profile | 2 - + shared/references/cce-sle12-avail.txt | 1 - + shared/references/cce-sle15-avail.txt | 1 - + .../ansible.template | 68 +++++++++ + .../bash.template | 110 ++++++++++++++ + .../oval.template | 137 ++++++++++++++++++ + .../template.yml | 4 + + .../tests/IncludeConfig_is_other.fail.sh | 14 +- + .../tests/IncludeConfig_is_root.pass.sh | 10 +- + .../tests/include_is_other.fail.sh | 14 +- + ...udeConfig_is_other_RainerLogClause.fail.sh | 37 ++++- + .../tests/include_is_root.pass.sh | 11 +- + ...ude_is_root_IncludeConfig_is_other.fail.sh | 16 +- + ...lude_is_root_IncludeConfig_is_root.pass.sh | 12 +- + ...ludeConfig_is_root_RainerLogClause.pass.sh | 22 +-- + .../tests/include_multiline_is_root.pass.sh | 10 +- + .../tests/is_other.fail.sh | 12 +- + .../tests/is_root.pass.sh | 8 +- + 51 files changed, 648 insertions(+), 576 deletions(-) + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/ansible.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/bash.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/oval.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/template.yml + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_other.fail.sh (75%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_other.fail.sh (75%) + rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh (50%) + mode change 100755 => 100644 + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_other.fail.sh (77%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_root.pass.sh (82%) + rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh (65%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_multiline_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_other.fail.sh (70%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_root.pass.sh (77%) + +diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml +index 5c464fe556..8576343b9d 100644 +--- a/controls/cis_sle12.yml ++++ b/controls/cis_sle12.yml +@@ -1321,7 +1321,9 @@ controls: + levels: + - l1_server + - l1_workstation +- status: manual ++ automated: yes ++ rules: ++ - rsyslog_logging_configured + + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) +diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml +index 36d7616f90..f82341a038 100644 +--- a/controls/cis_sle15.yml ++++ b/controls/cis_sle15.yml +@@ -1469,7 +1469,9 @@ controls: + levels: + - l1_server + - l1_workstation +- status: manual ++ automated: yes ++ rules: ++ - rsyslog_logging_configured + + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var +deleted file mode 100644 +index 7ebf8c191a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var ++++ /dev/null +@@ -1,18 +0,0 @@ +-documentation_complete: true +- +-title: 'group who owns log files' +- +-description: |- +- Specify group owner of all logfiles specified in +- /etc/rsyslog.conf. +- +-type: string +- +-operator: equals +- +-interactive: false +- +-options: +- default: root +- adm: adm +- root: root +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +deleted file mode 100644 +index 4567f4d411..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml ++++ /dev/null +@@ -1,116 +0,0 @@ +- +- +- {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}} +- +- +- {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} +- +- {{% endif %}} +- +- +- +- +- +- +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfg_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfg_syslog_config +- +- +- +- +- +- object_var_rfg_include_config_regex +- object_var_rfg_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_groupownership_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu2004", "ubuntu2204"] %}} +- 4 +- {{% else %}} +- 0 +- {{% endif %}} +- +- +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +index 4f797f4a21..13c89d90c5 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +@@ -4,15 +4,30 @@ title: 'Ensure Log Files Are Owned By Appropriate Group' + + description: |- + The group-owner of all log files written by +- rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. ++ rsyslog should be ++{{% if 'debian' in product or 'ubuntu' in product %}} ++ adm. ++{{% else %}} ++ root. ++{{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + For each log file LOGFILE referenced in /etc/rsyslog.conf, + run the following command to inspect the file's group owner: +
$ ls -l LOGFILE
+- If the owner is not {{{ xccdf_value("file_groupowner_logfiles_value") }}}, run the following command to ++ If the owner is not ++ {{% if 'debian' in product or 'ubuntu' in product %}} ++ adm, ++ {{% else %}} ++ root, ++ {{% endif %}} ++ run the following command to + correct this: +-
$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} LOGFILE
++{{% if 'debian' in product or 'ubuntu' in product %}} ++
$ sudo chgrp adm LOGFILE
++{{% else %}} ++
$ sudo chgrp root LOGFILE
++{{% endif %}} + + rationale: |- + The log files generated by rsyslog contain valuable information regarding system +@@ -47,8 +62,24 @@ references: + ocil_clause: 'the group-owner is not correct' + + ocil: |- +- The group-owner of all log files written by rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. ++ The group-owner of all log files written by rsyslog should be ++ {{% if 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + To see the group-owner of a given log file, run the following command: +
$ ls -l LOGFILE
++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: groupowner ++ value: 0 ++ value@debian10: 4 ++ value@debian11: 4 ++ value@ubuntu1604: 4 ++ value@ubuntu2004: 4 ++ value@ubuntu2204: 4 +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index 575530ef2e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,42 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP_TEST=testssg +-groupadd $GROUP_TEST +- +-GROUP_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh +deleted file mode 100755 +index 39efc1a4b7..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh +deleted file mode 100755 +index c0db7056b4..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh ++++ /dev/null +@@ -1,42 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP_TEST=testssg +-groupadd $GROUP_TEST +- +-GROUP_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh +deleted file mode 100755 +index 1feaf762fc..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh +deleted file mode 100755 +index 5a357d029b..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh +deleted file mode 100755 +index c7c01132f2..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh ++++ /dev/null +@@ -1,25 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with non root group-owner in rsyslog.conf fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=testssg +- +-groupadd $GROUP +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with non-root group owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh +deleted file mode 100755 +index 0ecbb35bd1..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh ++++ /dev/null +@@ -1,24 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with root group-owner in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with root group owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml +deleted file mode 100644 +index 8e3f68db26..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml ++++ /dev/null +@@ -1,114 +0,0 @@ +- +- +- {{{ oval_metadata("All syslog log files should be owned by the appropriate user.") }}} +- +- +- +- +- +- +- +- +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfo_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfo_syslog_config +- +- +- +- +- +- object_var_rfo_include_config_regex +- object_var_rfo_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_owner_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- +- {{% if product in ["ubuntu2004", "ubuntu2204"] %}} +- 104 +- {{% else %}} +- 0 +- {{% endif %}} +- +- +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +index 37c87b07cd..0d9bf40f4b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +@@ -4,15 +4,36 @@ title: 'Ensure Log Files Are Owned By Appropriate User' + + description: |- + The owner of all log files written by +- rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. ++ rsyslog should be ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog. ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + For each log file LOGFILE referenced in /etc/rsyslog.conf, + run the following command to inspect the file's owner: +
$ ls -l LOGFILE
+- If the owner is not {{{ xccdf_value("file_owner_logfiles_value") }}}, run the following command to ++ If the owner is not ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog, ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm, ++ {{% else %}} ++ root, ++ {{% endif %}} ++ run the following command to + correct this: +-
$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} LOGFILE
++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++
$ sudo chown syslog LOGFILE
++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++
$ sudo chown adm LOGFILE
++ {{% else %}} ++
$ sudo chown root LOGFILE
++ {{% endif %}} + + rationale: |- + The log files generated by rsyslog contain valuable information regarding system +@@ -47,8 +68,23 @@ references: + ocil_clause: 'the owner is not correct' + + ocil: |- +- The owner of all log files written by rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. ++ The owner of all log files written by rsyslog should be ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog. ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + To see the owner of a given log file, run the following command: +
$ ls -l LOGFILE
++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: owner ++ value: 0 ++ value@ubuntu2004: 104 ++ value@ubuntu2204: 104 +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml +new file mode 100644 +index 0000000000..041e263155 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "Set rsyslog remote loghost" ++ lineinfile: ++ dest: /etc/rsyslog.conf ++ regexp: "^\\*\\.\\*" ++ line: "*.* /var/log/messages" ++ create: yes +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh +new file mode 100644 +index 0000000000..d634610225 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "/var/log/messages", '%s %s') }}} +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml +new file mode 100644 +index 0000000000..89e1e7616e +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml +@@ -0,0 +1,41 @@ ++ ++ ++ {{{ oval_metadata("Syslog logs should be configured") }}} ++ ++ ++ {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}} ++ ++ {{% endif %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$ ++ 1 ++ ++ ++ ++ /etc/rsyslog.d ++ ^.+\.conf$ ++ ^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +new file mode 100644 +index 0000000000..f9477de9e9 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++title: 'Ensure logging is configured' ++ ++description: |- ++ The /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files ++ specifies rules for logging and which files are to be used to log certain ++ classes of messages. ++ ++rationale: |- ++ A great deal of important security-related information is sent via ++ rsyslog (e.g., successful and failed su attempts, failed login attempts, ++ root login attempts, etc.). ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-92379-7 ++ cce@sle15: CCE-92497-7 ++ ++references: ++ cis@sle12: 4.2.1.4 ++ cis@sle15: 4.2.1.4 ++ ++ocil_clause: 'no logging is configured' ++ ++ocil: |- ++ Review the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf ++ files to ensure appropriate logging is set. In addition, run the following command: ++
ls -l /var/log/
++ and verify that the log files are logging information ++ ++fixtext: |- ++ Configure logging with selectors covering each priority +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh +new file mode 100644 +index 0000000000..a4fb1cf07a +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++# platform = multi_platform_sle ++ ++# Check rsyslog.conf with no includes and all loggging facility/priority configured to go to /var/log/messages ++ ++source $SHARED/rsyslog_log_utils.sh ++cat << EOF > ${RSYSLOG_CONF} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* /var/log/messages ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh +new file mode 100644 +index 0000000000..158cf4c98d +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# platform = multi_platform_sle ++ ++# Check rsyslog.conf with no includes and no loggging facility/priority configured ++ ++source $SHARED/rsyslog_log_utils.sh ++cat << EOF > ${RSYSLOG_CONF} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++EOF +diff --git a/products/debian10/profiles/anssi_np_nt28_average.profile b/products/debian10/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/debian10/profiles/anssi_np_nt28_average.profile ++++ b/products/debian10/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian10/profiles/standard.profile b/products/debian10/profiles/standard.profile +index 3784182fa1..446f5aca1d 100644 +--- a/products/debian10/profiles/standard.profile ++++ b/products/debian10/profiles/standard.profile +@@ -33,9 +33,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian11/profiles/anssi_np_nt28_average.profile b/products/debian11/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/debian11/profiles/anssi_np_nt28_average.profile ++++ b/products/debian11/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian11/profiles/standard.profile b/products/debian11/profiles/standard.profile +index e1b2c718df..c21f8d592b 100644 +--- a/products/debian11/profiles/standard.profile ++++ b/products/debian11/profiles/standard.profile +@@ -33,9 +33,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile +index 12a3a25013..a246d5a094 100644 +--- a/products/rhel7/profiles/rht-ccp.profile ++++ b/products/rhel7/profiles/rht-ccp.profile +@@ -11,8 +11,6 @@ description: |- + selections: + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - file_owner_logfiles_value=root +- - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes + - var_accounts_minimum_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 +diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile +index b192461f95..6856951bff 100644 +--- a/products/rhel8/profiles/rht-ccp.profile ++++ b/products/rhel8/profiles/rht-ccp.profile +@@ -11,8 +11,6 @@ description: |- + selections: + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - file_owner_logfiles_value=root +- - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes + - var_logind_session_timeout=5_minutes + - var_accounts_minimum_age_login_defs=7 +diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile +index 24a98fd824..22498b6b6f 100644 +--- a/products/sle12/profiles/anssi_bp28_intermediary.profile ++++ b/products/sle12/profiles/anssi_bp28_intermediary.profile +@@ -23,3 +23,4 @@ description: |- + + selections: + - anssi:all:intermediary ++ +diff --git a/products/sle15/profiles/standard.profile b/products/sle15/profiles/standard.profile +index 204804c2ee..1af0a865ef 100644 +--- a/products/sle15/profiles/standard.profile ++++ b/products/sle15/profiles/standard.profile +@@ -29,9 +29,7 @@ selections: + - service_cron_enabled + - service_ntp_enabled + - service_rsyslog_enabled +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - ensure_logrotate_activated +diff --git a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile ++++ b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1604/profiles/standard.profile b/products/ubuntu1604/profiles/standard.profile +index 6fd70f0da6..93001f3bfe 100644 +--- a/products/ubuntu1604/profiles/standard.profile ++++ b/products/ubuntu1604/profiles/standard.profile +@@ -34,9 +34,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile ++++ b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1804/profiles/standard.profile b/products/ubuntu1804/profiles/standard.profile +index d587d499d8..a17117818e 100644 +--- a/products/ubuntu1804/profiles/standard.profile ++++ b/products/ubuntu1804/profiles/standard.profile +@@ -32,9 +32,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu2004/profiles/standard.profile b/products/ubuntu2004/profiles/standard.profile +index 823a69a5d9..6ed27aa16d 100644 +--- a/products/ubuntu2004/profiles/standard.profile ++++ b/products/ubuntu2004/profiles/standard.profile +@@ -31,9 +31,7 @@ selections: + - sshd_disable_empty_passwords + - var_sshd_set_keepalive=0 + - sshd_set_keepalive +- - file_owner_logfiles_value=syslog + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu2204/profiles/standard.profile b/products/ubuntu2204/profiles/standard.profile +index c8bc5369c9..1bb9f43e7d 100644 +--- a/products/ubuntu2204/profiles/standard.profile ++++ b/products/ubuntu2204/profiles/standard.profile +@@ -31,9 +31,7 @@ selections: + - sshd_disable_empty_passwords + - var_sshd_set_keepalive=0 + - sshd_set_keepalive +- - file_owner_logfiles_value=syslog + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt +index c119834759..4e0a76f8de 100644 +--- a/shared/references/cce-sle12-avail.txt ++++ b/shared/references/cce-sle12-avail.txt +@@ -54,7 +54,6 @@ CCE-92375-5 + CCE-92376-3 + CCE-92377-1 + CCE-92378-9 +-CCE-92379-7 + CCE-92380-5 + CCE-92381-3 + CCE-92382-1 +diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt +index d04c40d31f..e39dae033e 100644 +--- a/shared/references/cce-sle15-avail.txt ++++ b/shared/references/cce-sle15-avail.txt +@@ -17,7 +17,6 @@ CCE-92492-8 + CCE-92493-6 + CCE-92495-1 + CCE-92496-9 +-CCE-92497-7 + CCE-92498-5 + CCE-92499-3 + CCE-92500-8 +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +new file mode 100644 +index 0000000000..fc9e8844b6 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +@@ -0,0 +1,68 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = medium ++ ++- name: '{{{ rule_title }}} - Set rsyslog logfile configuration facts' ++ ansible.builtin.set_fact: ++ rsyslog_etc_config: "/etc/rsyslog.conf" ++ ++# * And also the log file paths listed after rsyslog's $IncludeConfig directive ++# (store the result into array for the case there's shell glob used as value of IncludeConfig) ++- name: '{{{ rule_title }}} - Get IncludeConfig directive' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true ++ register: rsyslog_old_inc ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Get include files directives' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true ++ register: rsyslog_new_inc ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Aggregate rsyslog includes' ++ ansible.builtin.set_fact: ++ include_config_output: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}" ++ ++- name: '{{{ rule_title }}} - List all config files' ++ ansible.builtin.find: ++ paths: "{{ include_config_output | list | map('dirname') }}" ++ patterns: "{{ include_config_output | list | map('basename') }}" ++ hidden: no ++ follow: yes ++ register: rsyslog_config_files ++ failed_when: False ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Extract log files old format' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk '{print $NF}'|sed -e 's/^-//' || true ++ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}" ++ register: log_files_old ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Extract log files new format' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true ++ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}" ++ register: log_files_new ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Sum all log files found' ++ ansible.builtin.set_fact: ++ log_files: "{{ log_files_new.results|map(attribute='stdout_lines')|list|flatten|unique + log_files_old.results|map(attribute='stdout_lines')|list|flatten|unique }}" ++ ++- name: '{{{ rule_title }}} -Setup log files attribute' ++ ansible.builtin.file: ++ path: "{{ item }}" ++ owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}' ++ group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}' ++ state: file ++ loop: "{{ log_files | list | flatten | unique }}" ++ failed_when: false +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +new file mode 100644 +index 0000000000..ab4a563dc5 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +@@ -0,0 +1,110 @@ ++# platform = multi_platform_all ++ ++# List of log file paths to be inspected for correct permissions ++# * Primarily inspect log file paths listed in /etc/rsyslog.conf ++RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" ++# * And also the log file paths listed after rsyslog's $IncludeConfig directive ++# (store the result into array for the case there's shell glob used as value of IncludeConfig) ++readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) ++readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) ++readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) ++ ++# Declare an array to hold the final list of different log file paths ++declare -a LOG_FILE_PATHS ++ ++# Array to hold all rsyslog config entries ++RSYSLOG_CONFIGS=() ++RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") ++ ++# Get full list of files to be checked ++# RSYSLOG_CONFIGS may contain globs such as ++# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule ++# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. ++RSYSLOG_CONFIG_FILES=() ++for ENTRY in "${RSYSLOG_CONFIGS[@]}" ++do ++ # If directory, rsyslog will search for config files in recursively. ++ # However, files in hidden sub-directories or hidden files will be ignored. ++ if [ -d "${ENTRY}" ] ++ then ++ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) ++ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") ++ elif [ -f "${ENTRY}" ] ++ then ++ RSYSLOG_CONFIG_FILES+=("${ENTRY}") ++ else ++ echo "Invalid include object: ${ENTRY}" ++ fi ++done ++ ++# Browse each file selected above as containing paths of log files ++# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) ++for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" ++do ++ # From each of these files extract just particular log file path(s), thus: ++ # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, ++ # * Ignore empty lines, ++ # * Strip quotes and closing brackets from paths. ++ # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files ++ # * From the remaining valid rows select only fields constituting a log file path ++ # Text file column is understood to represent a log file path if and only if all of the following are met: ++ # * it contains at least one slash '/' character, ++ # * it is preceded by space ++ # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters ++ # Search log file for path(s) only in case it exists! ++ if [[ -f "${LOG_FILE}" ]] ++ then ++ NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") ++ LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") ++ FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") ++ CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") ++ MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") ++ # Since above sed command might return more than one item (delimited by newline), split the particular ++ # matches entries into new array specific for this log file ++ readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" ++ # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with ++ # items from newly created array for this log file ++ LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") ++ # Delete the temporary array ++ unset ARRAY_FOR_LOG_FILE ++ fi ++done ++ ++# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly ++# extract possibly multiline action omfile expressions ++# extract File="logfile" expression ++# match only "logfile" expression ++for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" ++do ++ ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") ++ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") ++ LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") ++done ++ ++FILE_PARAM="{{{ ATTRIBUTE }}}" ++FILE_CMD="" ++case "$FILE_PARAM" in ++ "groupowner") ++ FILE_CMD=$(which chgrp) ++ ;; ++ "owner") ++ FILE_CMD=$(which chown) ++ ;; ++ *) ++ echo -n "Not supported file attribute! " ++ exit 1 ++ ;; ++esac ++ ++# Correct the form o ++for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" ++do ++ # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing ++ if [ -z "$LOG_FILE_PATH" ] ++ then ++ continue ++ fi ++ ++ $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH" ++done +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +new file mode 100644 +index 0000000000..4f288df1c9 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +@@ -0,0 +1,137 @@ ++ ++ ++ {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} ++ ++ {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} ++ ++ {{% endif %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ var_{{{ _RULE_ID }}}_include_config_regex ++ ++ ++ ++ ^/etc/rsyslog.conf$ ++ ++ ++ ++ var_{{{ _RULE_ID }}}_syslog_config ++ ++ ++ ++ ++ ++ object_var_{{{ _RULE_ID }}}_include_config_regex ++ object_var_{{{ _RULE_ID }}}_syslog_config ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ ++ 1 ++ state_{{{ _RULE_ID }}}_ownership_ignore_include_paths ++ ++ ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ regular ++ {{% if ATTRIBUTE == "groupowner" %}} ++ {{{ VALUE }}} ++ {{% else %}} ++ {{{ VALUE }}} ++ {{% endif %}} ++ ++ ++ +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.yml b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml +new file mode 100644 +index 0000000000..b57de6fbb6 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml +@@ -0,0 +1,4 @@ ++supported_languages: ++ - ansible ++ - bash ++ - oval +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +similarity index 75% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +index 6c82a1942f..db7e5261eb 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +@@ -6,8 +6,16 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + USER_ROOT=root + +@@ -15,8 +23,8 @@ USER_ROOT=root + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +index b24e5e1699..b03268fe3e 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +@@ -6,14 +6,20 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +similarity index 75% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +index 18f43c6927..d79ae23cfc 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +@@ -6,8 +6,16 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + USER_ROOT=root + +@@ -15,8 +23,8 @@ USER_ROOT=root + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +old mode 100755 +new mode 100644 +similarity index 50% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +index 05dd50ed24..7869a180a8 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +@@ -1,20 +1,31 @@ + #!/bin/bash + # platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle + +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from include() passes. ++# Check rsyslog.conf with root user log from rules and ++# root user log from include() passes. + + source $SHARED/rsyslog_log_utils.sh + +-GROUP=root ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ ++USER_TEST=testssg ++$ADDCOMMAND $USER_TEST ++ ++USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +@@ -28,13 +39,25 @@ EOF + + # create test2 configuration file + test_conf2=${RSYSLOG_TEST_DIR}/test2.conf ++{{% if ATTRIBUTE == "owner" %}} ++cat << EOF > ${test_conf2} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") ++EOF ++{{% else %}} + cat << EOF > ${test_conf2} + # rsyslog configuration file + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}") + EOF ++{{% endif %}} + + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +index 69dead5135..e80395ca99 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +@@ -6,14 +6,21 @@ + + source $SHARED/rsyslog_log_utils.sh + ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +similarity index 77% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +index e725fb4d54..e7b4905dc5 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +@@ -6,18 +6,26 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_ROOT=root + + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +similarity index 82% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +index ca47d453c1..6389e6ea3b 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +@@ -6,15 +6,21 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} +-chown $USER ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +similarity index 65% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +index 9747e0b28b..6b81a77c2f 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +@@ -1,23 +1,26 @@ + #!/bin/bash + # platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle + +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from include() fails. ++# Check rsyslog.conf with root user log from rules and ++# root user log from include() passes. + + source $SHARED/rsyslog_log_utils.sh + +-GROUP_ROOT=root ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} + +-GROUP_TEST=testssg +-groupadd $GROUP_TEST ++USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[1]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +@@ -36,7 +39,8 @@ cat << EOF > ${test_conf2} + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") + EOF + + # create rsyslog.conf configuration file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +index d68cc2e67d..78b105abf3 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +@@ -6,14 +6,20 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +similarity index 70% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +index 7edbb17ea1..1afe20823c 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +@@ -5,15 +5,23 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=testssg + +-useradd $USER ++$ADDCOMMAND $USER + + # setup test data + create_rsyslog_test_logs 1 + + # setup test log file ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} + + # add rule with non-root user owned log file + cat << EOF > $RSYSLOG_CONF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +similarity index 77% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +index e0e518bc50..afce21fa27 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +@@ -5,13 +5,19 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 1 + + # setup test log file ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} + + # add rule with root user owned log file + cat << EOF > $RSYSLOG_CONF +-- +2.39.1 + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 89f26f7..eda0e78 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -5,24 +5,24 @@ # global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly Name: scap-security-guide -Version: 0.1.63 -Release: 5%{?dist} +Version: 0.1.66 +Release: 1%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +# Rsyslog files rules remediations +Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch +# Extends rsyslog_logfiles_attributes_modify template for permissions +Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch +# Change custom zones check in firewalld_sshd_port_enabled +Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch +# Accept required and requisite control flag for pam_pwhistory +Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch +# remove rule logind_session_timeout and associated variable from profiles +Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch BuildArch: noarch -Patch0: scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch -Patch1: scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch -Patch2: scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch -Patch3: scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch -Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch -Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch -Patch6: scap-security-guide-0.1.64-readd_rules-PR_9334.patch -Patch7: scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch -Patch8: scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch - BuildRequires: libxslt BuildRequires: expat BuildRequires: openscap-scanner >= 1.2.5 @@ -108,6 +108,14 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Mon Feb 13 2023 Watson Sato - 0.1.66-1 +- Rebase to a new upstream release 0.1.66 (RHBZ#2169443) +- Fix remediation of audit watch rules (RHBZ#2169441) +- Fix check firewalld_sshd_port_enabled (RHBZ#2169443) +- Fix accepted control flags for pam_pwhistory (RHBZ#2169443) +- Unselect rule logind_session_timeout (RHBZ#2169443) +- Add support rainer scripts in rsyslog rules (RHBZ#2169445) + * Thu Aug 25 2022 Gabriel Becker - 0.1.63-5 - OSPP: fix rule related to coredump (RHBZ#2081688)