rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import scap-security-guide-0.1.66-2.el8

This commit is contained in:
CentOS Sources 2023-02-18 00:50:21 +00:00 committed by Stepan Oksanichenko
parent d9c05f8559
commit 8066a72e3f
42 changed files with 5530 additions and 19124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
SOURCES/scap-security-guide-0.1.63.tar.bz2
SOURCES/scap-security-guide-0.1.66.tar.bz2

2
.scap-security-guide.metadata
View File

@ -1,2 +1,2 @@
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2
fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2

34
SOURCES/disable-not-in-good-shape-profiles.patch
View File

@ -1,8 +1,24 @@
From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 6 Feb 2023 14:44:17 +0100
Subject: [PATCH] Disable profiles not in good shape
Patch-name: disable-not-in-good-shape-profiles.patch
Patch-id: 0
Patch-status: |
Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
---
products/rhel8/CMakeLists.txt | 1 -
products/rhel8/profiles/cjis.profile | 2 +-
products/rhel8/profiles/rht-ccp.profile | 2 +-
products/rhel8/profiles/standard.profile | 2 +-
4 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
index 5258591c7f..cc4b9c5720 100644
index 9c044b68ab..8f6ca03de8 100644
--- a/products/rhel8/CMakeLists.txt
+++ b/products/rhel8/CMakeLists.txt
@@ -11,7 +11,6 @@ ssg_build_product(${PRODUCT})
@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT})
ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
@ -10,8 +26,8 @@ index 5258591c7f..cc4b9c5720 100644
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index 035d2705b..c6475f33e 100644
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 22ae5aac72..f60b65bc06 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -20,8 +36,8 @@ index 035d2705b..c6475f33e 100644
metadata:
version: 5.4
diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
index c84579592..164ec98c4 100644
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index b192461f95..ae1e7d5a15 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -30,8 +46,8 @@ index c84579592..164ec98c4 100644
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
index a63ae2cf3..da669bb84 100644
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
index a63ae2cf32..da669bb843 100644
--- a/products/rhel8/profiles/standard.profile
+++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
@ -41,5 +57,5 @@ index a63ae2cf3..da669bb84 100644
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
2.26.2
2.39.1

227
SOURCES/scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
View File

@ -1,227 +0,0 @@
From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 21 Jul 2022 16:42:41 +0200
Subject: [PATCH 1/3] Add platforms for partition existence
---
shared/applicability/general.yml | 14 +++++++++++++
.../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++
.../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++
shared/macros/10-ansible.jinja | 5 +++++
shared/macros/10-bash.jinja | 5 +++++
shared/macros/10-oval.jinja | 21 +++++++++++++++++++
6 files changed, 65 insertions(+)
create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 2d23d753148..e2f5d04ce00 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -77,6 +77,20 @@ cpes:
bash_conditional: {{{ bash_pkg_conditional("pam") }}}
ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}
+ - partition-var-tmp:
+ name: "cpe:/a:partition-var-tmp"
+ title: "There is a /var/tmp partition"
+ check_id: installed_env_mounts_var_tmp
+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}
+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}
+
+ - partition-tmp:
+ name: "cpe:/a:partition-tmp"
+ title: "There is a /tmp partition"
+ check_id: installed_env_mounts_tmp
+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}}
+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}
+
- polkit:
name: "cpe:/a:polkit"
title: "Package polkit is installed"
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
new file mode 100644
index 00000000000..c1bcd6b2431
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -0,0 +1,10 @@
+<def-group>
+ <definition class="inventory" id="installed_env_mounts_tmp" version="1">
+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}
+ <criteria>
+ {{{ partition_exists_criterion("/tmp") }}}
+ </criteria>
+ </definition>
+
+ {{{ partition_exists_tos("/tmp") }}}
+</def-group>
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
new file mode 100644
index 00000000000..a72f49c8a8f
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -0,0 +1,10 @@
+<def-group>
+ <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">
+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}
+ <criteria>
+ {{{ partition_exists_criterion("/var/tmp") }}}
+ </criteria>
+ </definition>
+
+ {{{ partition_exists_tos("/var/tmp") }}}
+</def-group>
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 2d24f730d3f..478f0072bc7 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.
when:
- result_pam_file_present.stat.exists
{{%- endmacro -%}}
+
+
+{{%- macro ansible_partition_conditional(path) -%}}
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+{{%- endmacro -%}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 94c3c6f9570..6a7fb165fd2 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2085,3 +2085,8 @@ else
echo "{{{ pam_file }}} was not found" >&2
fi
{{%- endmacro -%}}
+
+
+{{%- macro bash_partition_conditional(path) -%}}
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
+{{%- endmacro -%}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index c8d7bbeffb7..1ec93b6ef7d 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
{{%- else %}}
{{%- set user_list="nobody" %}}
{{%- endif %}}
+
+
+{{%- macro partition_exists_criterion(path) %}}
+{{%- set escaped_path = path | replace("/", "_") %}}
+ <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
+{{%- endmacro %}}
+
+{{%- macro partition_exists_tos(path) %}}
+{{%- set escaped_path = path | replace("/", "_") %}}
+ <linux:partition_test check="all" check_existence="all_exist"
+ comment="Partition {{{ path }}} exists"
+ id="test_partition_{{{ escaped_path }}}_exists"
+ version="1">
+ <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
+ {{#- <linux:partition_state state_ref="" /> #}}
+ </linux:partition_test>
+
+ <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
+ <linux:mount_point>{{{ path }}}</linux:mount_point>
+ </linux:partition_object>
+{{%- endmacro %}}
From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 21 Jul 2022 16:43:21 +0200
Subject: [PATCH 2/3] Use partition exist platforms on a real rule
---
.../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++-
.../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++
2 files changed, 7 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 8ee8c8b12e0..741d0973283 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -38,7 +38,8 @@ references:
stigid@ol8: OL08-00-040132
stigid@rhel8: RHEL-08-040132
-platform: machine
+platforms:
+ - machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
new file mode 100644
index 00000000000..241c0103d82
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 10 Aug 2022 11:32:38 +0200
Subject: [PATCH 3/3] Improve code style
- Improve description of OVAL macro
- Use the escape_id filter to produce IDs
---
shared/checks/oval/installed_env_mounts_tmp.xml | 2 +-
shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-
shared/macros/10-oval.jinja | 7 +++----
3 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
index c1bcd6b2431..edd8ad050f5 100644
--- a/shared/checks/oval/installed_env_mounts_tmp.xml
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -6,5 +6,5 @@
</criteria>
</definition>
- {{{ partition_exists_tos("/tmp") }}}
+ {{{ partition_exists_test_object("/tmp") }}}
</def-group>
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
index a72f49c8a8f..cf9aafbdb04 100644
--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -6,5 +6,5 @@
</criteria>
</definition>
- {{{ partition_exists_tos("/var/tmp") }}}
+ {{{ partition_exists_test_object("/var/tmp") }}}
</def-group>
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 1ec93b6ef7d..f302091f7df 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
{{%- macro partition_exists_criterion(path) %}}
-{{%- set escaped_path = path | replace("/", "_") %}}
+{{%- set escaped_path = path | escape_id %}}
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
{{%- endmacro %}}
-{{%- macro partition_exists_tos(path) %}}
-{{%- set escaped_path = path | replace("/", "_") %}}
+{{%- macro partition_exists_test_object(path) %}}
+{{%- set escaped_path = path | escape_id %}}
<linux:partition_test check="all" check_existence="all_exist"
comment="Partition {{{ path }}} exists"
id="test_partition_{{{ escaped_path }}}_exists"
version="1">
<linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
- {{#- <linux:partition_state state_ref="" /> #}}
</linux:partition_test>
<linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">

29
SOURCES/scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch
View File

@ -1,29 +0,0 @@
From 172258291cea7100e89002203f3d9ae1bc468cd3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 21 Sep 2022 17:22:29 +0200
Subject: [PATCH] add warning to sysctl_net_ipv4_conf_all_forwarding
---
.../sysctl_net_ipv4_conf_all_forwarding/rule.yml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
index 7b0066f7c29..20a778cdf9e 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -36,6 +36,15 @@ srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless th
platform: machine
+
+warnings:
+ - general: |-
+ There might be cases when certain applications can systematically override this option.
+ One such case is {{{ weblink("https://libvirt.org/", "Libvirt") }}}; a toolkit for managing of virtualization platforms.
+ By default, Libvirt requires IP forwarding to be enabled to facilitate
+ network communication between the virtualization host and guest
+ machines. It enables IP forwarding after every reboot.
+
template:
name: sysctl
vars:

92
SOURCES/scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
View File

@ -1,92 +0,0 @@
From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 10 Aug 2022 13:35:50 +0200
Subject: [PATCH] Add the platform applicability to relevant rules
---
.../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +-
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +-
.../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
index 45a73e0286a..79a19a8d30b 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -45,7 +45,7 @@ references:
stigid@ol8: OL08-00-040123
stigid@rhel8: RHEL-08-040123
-platform: machine
+platform: machine and partition-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 7356183bab3..d3f6d6175e5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -44,7 +44,7 @@ references:
stigid@ol8: OL08-00-040125
stigid@rhel8: RHEL-08-040125
-platform: machine
+platform: machine and partition-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
index d153b86934f..10790dc95a7 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -45,7 +45,7 @@ references:
stigid@ol8: OL08-00-040124
stigid@rhel8: RHEL-08-040124
-platform: machine
+platform: machine and partition-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
index 133e7727ca7..05992df4b49 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
@@ -31,7 +31,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-3
-platform: machine
+platform: machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
index 39fd458ec6b..dc00b2f2376 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -38,7 +38,7 @@ references:
stigid@ol8: OL08-00-040134
stigid@rhel8: RHEL-08-040134
-platform: machine
+platform: machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
index 349f3348955..f0c26b6d9c5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -38,7 +38,7 @@ references:
stigid@ol8: OL08-00-040133
stigid@rhel8: RHEL-08-040133
-platform: machine
+platform: machine and partition-var-tmp
template:
name: mount_option

48
SOURCES/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
View File

@ -1,48 +0,0 @@
From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 15 Aug 2022 13:14:58 +0200
Subject: [PATCH 1/2] Access the mounts via ansible_mounts
It seems that the data about ansible_mounts should be accessed without
the 'ansible_facts' prefix.
---
shared/macros/10-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 478f0072bc7..e8bff0973f5 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
{{%- macro ansible_partition_conditional(path) -%}}
-"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
{{%- endmacro -%}}
From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 15 Aug 2022 13:16:24 +0200
Subject: [PATCH 2/2] Avoid use of json_query and additional dependency
The json_query filter requires package jmespath to be installed.
This also avoids mismatchs in python version between ansible and
python3-jmespath. Some distros (RHEL8) don't have jmespath module
available for the same python version ansible is using.
---
shared/macros/10-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index e8bff0973f5..beb2bc11403 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
{{%- macro ansible_partition_conditional(path) -%}}
-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
{{%- endmacro -%}}

33
SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
View File

@ -1,33 +0,0 @@
From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 16 Aug 2022 18:53:02 +0200
Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
There is no need to check /etc/grubenv for fips=1 on s390x systems, it
uses zIPL.
---
.../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 65056a654c6..7af675de0d3 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -7,9 +7,16 @@
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
- {{% if product in ["ol8","rhel8"] %}}
+ {{% if product in ["ol8"] %}}
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
test_ref="test_grubenv_fips_mode" />
+ {{% elif product in ["rhel8"] %}}
+ <criteria operator="OR">
+ <extend_definition comment="Generic test for s390x architecture"
+ definition_ref="system_info_architecture_s390_64" />
+ <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+ test_ref="test_grubenv_fips_mode" />
+ </criteria>
{{% endif %}}
</criteria>
</definition>

107
SOURCES/scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
View File

@ -1,107 +0,0 @@
From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 5 Aug 2022 12:45:24 +0200
Subject: [PATCH] Fix rule sudo_custom_logfile
- Allow only white space after the Default keyword to avoid
matching words that only start with Default.
- If the variable value contains slashes they need to be escaped
because the sed command uses slashes as a separator, otherwise
the sed doesn't replace the wrong line during a remediation.
Also adds 2 test scenarios.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
---
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
.../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++
.../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++
shared/templates/sudo_defaults_option/ansible.template | 2 +-
shared/templates/sudo_defaults_option/bash.template | 5 +++--
shared/templates/sudo_defaults_option/oval.template | 2 +-
6 files changed, 14 insertions(+), 5 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index 739f5f14936..94fbaaa33ed 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
ocil: |-
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
- <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
+ <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
The command should return a matching output.
template:
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
new file mode 100644
index 00000000000..13ff4559edb
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
new file mode 100644
index 00000000000..ec24854f0f9
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
index 094fa430b64..c9e344ec772 100644
--- a/shared/templates/sudo_defaults_option/ansible.template
+++ b/shared/templates/sudo_defaults_option/ansible.template
@@ -8,7 +8,7 @@
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
lineinfile:
path: /etc/sudoers
- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
validate: /usr/sbin/visudo -cf %s
backrefs: yes
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
index e3563d42db6..e7d962a668d 100644
--- a/shared/templates/sudo_defaults_option/bash.template
+++ b/shared/templates/sudo_defaults_option/bash.template
@@ -9,7 +9,7 @@
{{% endif %}}
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option {{{ OPTION }}}
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
{{%- if not VARIABLE_NAME %}}
@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
{{% if '/' in OPTION %}}
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
{{% endif %}}
- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
fi
fi
{{% endif %}}
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
index c0d81c95093..a9636a7204a 100644
--- a/shared/templates/sudo_defaults_option/oval.template
+++ b/shared/templates/sudo_defaults_option/oval.template
@@ -13,7 +13,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
</ind:textfilecontent54_object>

967
SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
View File

@ -1,967 +0,0 @@
From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Wed, 13 Apr 2022 20:06:18 +0800
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
A simple test case as follows:
/etc/rsyslog.conf
include(file="/etc/rsyslog.d/*.conf" mode="optional")
/etc/rsyslog.d/custom1.conf
local1.* /tmp/local1.out
/etc/rsyslog.d/custom2.conf
local2.* /tmp/local2.out
---
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index b794ea8db31..02b0c36d899 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -5,8 +5,8 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Thu, 14 Apr 2022 15:58:04 +0800
Subject: [PATCH 02/15] A better fix.
* Should also fixed the CI failure.
---
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 02b0c36d899..1aebb8f9da5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -5,8 +5,10 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 15 Apr 2022 10:47:37 +0800
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
---
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
2 files changed, 113 insertions(+)
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
new file mode 100755
index 00000000000..7cb09128d78
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0600 from $IncludeConfig passes.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS=0600
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
new file mode 100755
index 00000000000..942eaf086a1
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0601 from $IncludeConfig fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Thu, 19 May 2022 01:22:19 +0800
Subject: [PATCH 04/15] The way using 'find' can be retired.
---
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 1aebb8f9da5..cece5930ee8 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
-RSYSLOG_CONFIGS=()
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+declare -a RSYSLOG_CONFIGS
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Get full list of files to be checked
-# RSYSLOG_CONFIGS may contain globs such as
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
-RSYSLOG_FILES=()
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
-do
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
- RSYSLOG_FILES+=("${FINDOUT[@]}")
-done
-
-# Check file and fix if needed.
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
+# Browse each file selected above as containing paths of log files
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 01:30:37 +0800
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
---
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index cece5930ee8..50d36d7426f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
+# Array to hold all rsyslog config entries
declare -a RSYSLOG_CONFIGS
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+# Array to hold all rsyslog config files
+declare -a RSYSLOG_CONFIG_FILES
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+do
+ # If directory, need to include files recursively
+ if [ -d "${ENTRY}" ]
+ then
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+ elif [ -f "${ENTRY}" ]
+ then
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
+ else
+ echo "Invalid include object: ${ENTRY}"
+ fi
+done
+
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 01:46:33 +0800
Subject: [PATCH 06/15] Update test files.
---
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
2 files changed, 4 insertions(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 7cb09128d78..2ddd9fcb697 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 942eaf086a1..73ff3332c6d 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
EOF
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 10:03:32 +0800
Subject: [PATCH 07/15] Rsyslog says we should include all files
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 50d36d7426f..cd5014105e9 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -24,7 +24,7 @@ do
# If directory, need to include files recursively
if [ -d "${ENTRY}" ]
then
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
elif [ -f "${ENTRY}" ]
then
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 2ddd9fcb697..755865ca522 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
PERMS=0600
# setup test data
-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
# setup test log files and permissions
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
# create test configuration file
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
mkdir ${conf_subdir}
test_subdir_conf=${conf_subdir}/test_subdir.conf
test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
cat << EOF > ${test_subdir_conf}
# rsyslog configuration file
+# test_subdir_conf
#### RULES ####
@@ -31,12 +35,22 @@ EOF
cat << EOF > ${test_conf}
# rsyslog configuration file
+# test_conf
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 73ff3332c6d..063b1a0cbe5 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -10,20 +10,24 @@ PERMS_PASS=0600
PERMS_FAIL=0601
# setup test data
-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
# setup test log files and permissions
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
# create test configuration file
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
mkdir ${conf_subdir}
test_subdir_conf=${conf_subdir}/test_subdir.conf
test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
cat << EOF > ${test_subdir_conf}
# rsyslog configuration file
+# test_subdir_conf
#### RULES ####
@@ -32,12 +36,22 @@ EOF
cat << EOF > ${test_conf}
# rsyslog configuration file
+# test_conf
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Sat, 21 May 2022 16:02:26 +0800
Subject: [PATCH 08/15] Match glob() function of rsyslog
---
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
3 files changed, 55 insertions(+), 28 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index cd5014105e9..38105bf086b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
declare -a RSYSLOG_CONFIG_FILES
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
- # If directory, need to include files recursively
+ # If directory, rsyslog will search for config files in recursively.
+ # However, files in hidden sub-directories or hidden files will be ignored.
if [ -d "${ENTRY}" ]
then
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
elif [ -f "${ENTRY}" ]
then
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 755865ca522..a5a2f67fadc 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
PERMS=0600
# setup test data
-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
# setup test log files and permissions
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
-# create test configuration file
+# create test configuration files
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
mkdir ${conf_subdir}
-test_subdir_conf=${conf_subdir}/test_subdir.conf
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
# rsyslog configuration file
-# test_subdir_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
# rsyslog configuration file
-# test_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[1]}
+*.* ${RSYSLOG_TEST_LOGS[2]}
EOF
-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
# rsyslog configuration file
-# test_bak
+# not used
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[3]}
EOF
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 063b1a0cbe5..a9d0adfb727 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -10,48 +10,61 @@ PERMS_PASS=0600
PERMS_FAIL=0601
# setup test data
-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
# setup test log files and permissions
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
-# create test configuration file
+# create test configuration files
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
mkdir ${conf_subdir}
-test_subdir_conf=${conf_subdir}/test_subdir.conf
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
# rsyslog configuration file
-# test_subdir_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
# rsyslog configuration file
-# test_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[1]}
+*.* ${RSYSLOG_TEST_LOGS[2]}
EOF
-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
# rsyslog configuration file
-# test_bak
+# not used
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[3]}
EOF
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Sun, 22 May 2022 21:10:16 +0800
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 38105bf086b..e1129e34c81 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -54,7 +54,7 @@ do
then
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
# Since above sed command might return more than one item (delimited by newline), split the particular
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Tue, 24 May 2022 00:42:17 +0800
Subject: [PATCH 10/15] Added platform.
---
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index a9d0adfb727..fe4db0a3c91 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
# Check rsyslog.conf with log file permissions 0600 from rules and
# log file permissions 0601 from $IncludeConfig fails.
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 13:56:39 +0200
Subject: [PATCH 11/15] Reset the arrays before using them
When bash remediations for a profile are generated, it can happen that a
variable with same name is used for multiple remediations.
So let's reset the array before using it.
---
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index e1129e34c81..d1856ffbe7b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
declare -a LOG_FILE_PATHS
# Array to hold all rsyslog config entries
-declare -a RSYSLOG_CONFIGS
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+RSYSLOG_CONFIGS=()
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Array to hold all rsyslog config files
-declare -a RSYSLOG_CONFIG_FILES
+# Get full list of files to be checked
+# RSYSLOG_CONFIGS may contain globs such as
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
+RSYSLOG_CONFIG_FILES=()
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
# If directory, rsyslog will search for config files in recursively.
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 14:55:37 +0200
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
Let's follow rsyslog behavior and not capture process hidden config
files for includes.
---
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
2 files changed, 62 insertions(+)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a04e6fd8900..d13177216c3 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -17,8 +17,17 @@
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
+ include() or $IncludeConfig that point to hidden dirs or files.
+ Rsyslog ignores these conf files, so we should ignore them too.
+ -->
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
+ </ind:textfilecontent54_state>
+
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
<unique>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
new file mode 100644
index 00000000000..9b0185c6b2f
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create hidden test2 configuration file
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
+cat << EOF > ${test_conf2}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 15:49:11 +0200
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
The rsyslog conf file may include other config files.
If the included missing files are missing rsyslog will generate an
error, but will still continue working.
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
There is not a good way of ensuring that all files defined in a list of paths exist.
---
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
1 file changed, 45 insertions(+)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
new file mode 100644
index 00000000000..b929f2a94ab
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# Skip creation test2 configuration file
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 21:47:18 +0200
Subject: [PATCH 14/15] Align Ansible remediation with Bash
The remediation now expands the glob expressions and doesn't collect
hidden files or directories to check for their permissions.
---
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
index 635b72f7352..c558bf46c71 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
@@ -19,19 +19,26 @@
shell: |
set -o pipefail
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
- register: include_config_output
+ register: rsyslog_old_inc
changed_when: False
- name: "Get include files directives"
shell: |
set -o pipefail
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
- register: include_files_output
+ register: rsyslog_new_inc
changed_when: False
+- name: "Expand glob expressions"
+ shell: |
+ set -o pipefail
+ eval printf '%s\\n' {{ item }}
+ register: include_config_output
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
+
- name: "List all config files"
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
+ shell: find {{ item }} -not -path "*/.*" -type f
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
register: rsyslog_config_files
changed_when: False
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 21:56:05 +0200
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
Let's not fail the task when the find doesn't find the include object.
When the include is a glob expression that doesn't evaluate to any file
the glob itself is used in find command.
The Bash remediation prints a message for each include that is not a
file is not a directory or doesn't exist.
---
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
index c558bf46c71..3a9380cf13b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
@@ -40,6 +40,7 @@
shell: find {{ item }} -not -path "*/.*" -type f
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
register: rsyslog_config_files
+ failed_when: False
changed_when: False
- name: "Extract log files"

90
SOURCES/scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
View File

@ -1,90 +0,0 @@
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:15 +0200
Subject: [PATCH 1/4] fix ospp references
---
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
index c151d3c4aa1..f9b46c51ddd 100644
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
@@ -34,6 +34,7 @@ references:
disa: CCI-000213
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
nist: AC-3
+ ospp: FIA_UAU.1,FIA_AFL.1
srg: SRG-OS-000480-GPOS-00227
ocil: |-
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:42 +0200
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index b47630c62b0..dcc41970043 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -115,7 +115,7 @@ selections:
- coredump_disable_storage
- coredump_disable_backtraces
- service_systemd-coredump_disabled
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- use_pam_wheel_for_su
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:54 +0200
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
---
products/rhel8/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 39ad1797c7a..ebec8a3a6f9 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -220,7 +220,7 @@ selections:
- var_accounts_max_concurrent_login_sessions=10
- accounts_max_concurrent_login_sessions
- securetty_root_login_console_only
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 13:55:05 +0200
Subject: [PATCH 4/4] update profile stability test
---
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 5d73a8c6fef..21e93e310d5 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -242,7 +242,7 @@ selections:
- var_slub_debug_options=P
- var_auditd_flush=incremental_async
- var_accounts_max_concurrent_login_sessions=10
-- var_authselect_profile=sssd
+- var_authselect_profile=minimal
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted

50
SOURCES/scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
View File

@ -1,50 +0,0 @@
From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 10 Aug 2022 09:59:57 +0200
Subject: [PATCH] switch rule grub2_disable_interactive_boot for
grub2_disable_recovery in rhel8 ospp
---
.../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
products/rhel8/profiles/ospp.profile | 2 +-
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
index 4f8d4ddcfde..fb126cbe7d8 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -17,6 +17,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-86006-4
cce@rhel9: CCE-85986-8
references:
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index ebec8a3a6f9..6e3b30f64bb 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -304,7 +304,7 @@ selections:
## Disable Unauthenticated Login (such as Guest Accounts)
## FIA_UAU.1
- require_singleuser_auth
- - grub2_disable_interactive_boot
+ - grub2_disable_recovery
- grub2_uefi_password
- no_empty_passwords
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 21e93e310d5..267b66a4f89 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -89,7 +89,7 @@ selections:
- ensure_redhat_gpgkey_installed
- grub2_audit_argument
- grub2_audit_backlog_limit_argument
-- grub2_disable_interactive_boot
+- grub2_disable_recovery
- grub2_kernel_trust_cpu_rng
- grub2_page_poison_argument
- grub2_pti_argument

26
SOURCES/scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch
View File

@ -1,26 +0,0 @@
From bd2128cdc6a657306b8c9644481346f0ab4411f6 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 5 Sep 2022 11:07:33 -0500
Subject: [PATCH] Update OVAL in openssh rule
Update OVAL in harden_sshd_ciphers_opensshserver_conf_crypto_policy to
align it with generated conf by remediation
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
.../oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
index 53919eaae7f..21d4e716dbc 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -16,7 +16,7 @@
<ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
<ind:filepath>{{{ PATH }}}</ind:filepath>
- <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=\S+).*$</ind:pattern>
+ <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=[^\s']+).*$</ind:pattern>
<ind:instance operation="equals" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

97
SOURCES/scap-security-guide-0.1.64-stig_aide-PR_9282.patch
View File

@ -1,97 +0,0 @@
From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Aug 2022 15:01:42 +0200
Subject: [PATCH] Add rsyslogd to the list of tools check by aide
RHEL products will also check for integrity of /usr/sbin/rsyslogd.
---
.../aide/aide_check_audit_tools/ansible/shared.yml | 1 +
.../aide/aide_check_audit_tools/bash/shared.sh | 3 +--
.../aide/aide_check_audit_tools/oval/shared.xml | 2 +-
.../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +-
.../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +-
.../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
index 9d1b7b675c9..5905ea8d0e6 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
@@ -22,6 +22,7 @@
- /usr/sbin/aureport
- /usr/sbin/ausearch
- /usr/sbin/autrace
+ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}}
- name: Ensure existing AIDE configuration for audit tools are correct
lineinfile:
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
index d0a1ba2522f..a81e25c3950 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
@@ -18,12 +18,11 @@
{{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}}
{{% endif %}}
-{{% if product == 'ol8' %}}
+{{% if product == 'ol8' or 'rhel' in product %}}
{{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}}
{{% endif %}}
{{% for file in auditfiles %}}
-
if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then
sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}}
else
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
index 6ce56c1137a..ca9bf4f94d0 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
@@ -11,7 +11,7 @@
{{% if 'rhel' not in product and product != 'ol8' %}}
<criterion comment="audispd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_audispd" />
{{% endif %}}
- {{% if product == 'ol8' %}}
+ {{% if product == 'ol8' or 'rhel' in product %}}
<criterion comment="rsyslogd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_rsyslogd" />
{{% endif %}}
<criterion comment="augenrules is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_augenrules" />
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
index 756b88d8a23..071dde13295 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
@@ -7,7 +7,7 @@ aide --init
declare -a bins
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
for theFile in "${bins[@]}"
do
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
index f3a2a126d3d..cb9bbfa7350 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
@@ -4,7 +4,7 @@
yum -y install aide
declare -a bins
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
for theFile in "${bins[@]}"
do
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
index 4315cef2073..a22aecb0000 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
@@ -6,7 +6,7 @@ yum -y install aide
aide --init
declare -a bins
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
for theFile in "${bins[@]}"
do

4490
SOURCES/scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
View File

File diff suppressed because one or more lines are too long

187
SOURCES/scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
View File

@ -1,187 +0,0 @@
From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 1 Aug 2022 17:50:37 +0200
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding
This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
sysctl_net_ipv4_forward.
---
.../rule.yml | 44 +++++++++++++++++++
...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
shared/references/cce-redhat-avail.txt | 1 -
3 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
new file mode 100644
index 00000000000..7b0066f7c29
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
+
+rationale: |-
+ IP forwarding permits the kernel to forward packets from one network
+ interface to another. The ability to forward packets between two networks is
+ only appropriate for systems acting as routers.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-86220-1
+
+references:
+ disa: CCI-000366
+ nist: CM-6(b)
+ srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-040259
+
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
+
+ocil: |-
+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
+ The ability to forward packets is only appropriate for routers.
+
+fixtext: |-
+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
+
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: net.ipv4.conf.all.forwarding
+ datatype: int
+
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
new file mode 100644
index 00000000000..2aedd6e6432
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: net.ipv4.conf.all.forwarding
+
+description: 'Toggle IPv4 Forwarding'
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "0"
+ disabled: "0"
+ enabled: 1
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 914233f06bf..3e14b73dd71 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -168,7 +168,6 @@ CCE-86216-9
CCE-86217-7
CCE-86218-5
CCE-86219-3
-CCE-86220-1
CCE-86221-9
CCE-86222-7
CCE-86223-5
From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 1 Aug 2022 17:53:32 +0200
Subject: [PATCH 2/2] Better align with RHEL-08-040259
The item is about net.ipv4.conf.all.forwarding
The update to V1R7 made brought this misalignment to light.
---
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
products/rhel8/profiles/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
4 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
index 5c449db7f3a..7acfc0b05b6 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -45,7 +45,6 @@ references:
stigid@ol7: OL07-00-040740
stigid@ol8: OL08-00-040260
stigid@rhel7: RHEL-07-040740
- stigid@rhel8: RHEL-08-040259
stigid@sle12: SLES-12-030430
stigid@sle15: SLES-15-040380
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 4b480bd2c11..6b44436a2b1 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1127,7 +1127,7 @@ selections:
- sysctl_net_ipv6_conf_default_accept_source_route
# RHEL-08-040259
- - sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv4_conf_all_forwarding
# RHEL-08-040260
- sysctl_net_ipv6_conf_all_forwarding
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 4bee72830d0..47f53a9d023 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,7 +1,7 @@
title: DISA STIG for Red Hat Enterprise Linux 8
description: 'This profile contains configuration checks that align to the
- DISA STIG for Red Hat Enterprise Linux 8 V1R7
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -395,13 +395,13 @@ selections:
- sysctl_net_core_bpf_jit_harden
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_source_route
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index ece32d06a6f..c4e60ddcde5 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -405,13 +405,13 @@ selections:
- sysctl_net_core_bpf_jit_harden
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_source_route

89
SOURCES/scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
View File

@ -1,89 +0,0 @@
From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 9 Aug 2022 17:28:33 +0200
Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG
profile.
---
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 +
products/rhel8/profiles/stig.profile | 14 +++++++-------
tests/data/profile_stability/rhel8/stig.profile | 2 ++
.../data/profile_stability/rhel8/stig_gui.profile | 2 ++
5 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 46ea0558a42..1e9c6172758 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -57,6 +57,7 @@ references:
stigid@ol7: OL07-00-040320
stigid@ol8: OL08-00-010201
stigid@rhel7: RHEL-07-040320
+ stigid@rhel8: RHEL-08-010201
stigid@sle12: SLES-12-030190
stigid@sle15: SLES-15-010280
stigid@ubuntu2004: UBTU-20-010037
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
index 0f0693ddc6c..f6e98a61d9a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -53,6 +53,7 @@ references:
stigid@ol7: OL07-00-040340
stigid@ol8: OL08-00-010200
stigid@rhel7: RHEL-07-040340
+ stigid@rhel8: RHEL-08-010200
stigid@sle12: SLES-12-030191
stigid@sle15: SLES-15-010320
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6b44436a2b1..124b7520d3a 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -170,13 +170,13 @@ selections:
# RHEL-08-010190
- dir_perms_world_writable_sticky_bits
- # These two items don't behave as they used to in RHEL8.6 and RHEL9
- # anymore. They will be disabled for now until an alternative
- # solution is found.
- # # RHEL-08-010200
- # - sshd_set_keepalive_0
- # # RHEL-08-010201
- # - sshd_set_idle_timeout
+ # Although these rules have a different behavior in RHEL>=8.6
+ # they still need to be selected so it follows exactly what STIG
+ # states.
+ # RHEL-08-010200
+ - sshd_set_keepalive_0
+ # RHEL-08-010201
+ - sshd_set_idle_timeout
# RHEL-08-010210
- file_permissions_var_log_messages
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 47f53a9d023..6c75d0ae1b1 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -369,6 +369,8 @@ selections:
- sshd_enable_warning_banner
- sshd_print_last_log
- sshd_rekey_limit
+- sshd_set_idle_timeout
+- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index c4e60ddcde5..8a7a469b940 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -379,6 +379,8 @@ selections:
- sshd_enable_warning_banner
- sshd_print_last_log
- sshd_rekey_limit
+- sshd_set_idle_timeout
+- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification

113
SOURCES/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
View File

@ -1,113 +0,0 @@
From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Aug 2022 15:57:52 +0200
Subject: [PATCH 1/2] Accept sudoers files without includes as compliant
Update rule sudoers_default_includedir to accept as compliant sudoers
files that don't have any #include or #includedir directive
---
.../oval/shared.xml | 24 +++++++++++++++----
.../sudo/sudoers_default_includedir/rule.yml | 8 ++++---
...cludedir.fail.sh => no_includedir.pass.sh} | 2 +-
3 files changed, 26 insertions(+), 8 deletions(-)
rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
index 59cab0b89de..629fbe8c6d2 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -1,10 +1,16 @@
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check if sudo includes only the default includedir") }}}
- <criteria operator="AND">
- <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ <criteria operator="OR">
+ <criteria operator="AND">
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers doesn't have any #includedir" test_ref="test_sudoers_without_includedir" />
+ </criteria>
+ <criteria operator="AND">
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ </criteria>
</criteria>
</definition>
@@ -32,6 +38,16 @@
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="audit augenrules rmmod" id="test_sudoers_without_includedir" version="1">
+ <ind:object object_ref="object_sudoers_without_includedir" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sudoers_without_includedir" version="1">
+ <ind:filepath>/etc/sudoers</ind:filepath>
+ <ind:pattern operation="pattern match">^#includedir[\s]+.*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
<ind:textfilecontent54_test check="all" check_existence="none_exist"
comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
<ind:object object_ref="object_sudoersd_without_includes" />
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
index aa2aaee19f8..83bfb0183bd 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
@@ -8,9 +8,11 @@ description: |-
Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
other directories and configuration files from the file currently being parsed.
- Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
- The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
- <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,
+ or that no drop-in file is included.
+ Either the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;
+ Or the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt> or <tt>#includedir</tt> directives.
Note that the '#' character doesn't denote a comment in the configuration file.
rationale: |-
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
similarity index 51%
rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
index 1e0ab8aea92..fe73cb25076 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
@@ -1,4 +1,4 @@
#!/bin/bash
# platform = multi_platform_all
-sed -i "/#includedir.*/d" /etc/sudoers
+sed -i "/#include(dir)?.*/d" /etc/sudoers
From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 12:01:12 +0200
Subject: [PATCH 2/2] Improve definition's comments
---
.../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
index 629fbe8c6d2..82095acc6ed 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -8,8 +8,8 @@
</criteria>
<criteria operator="AND">
<criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
</criteria>
</criteria>
</definition>

358
SOURCES/scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
View File

@ -1,358 +0,0 @@
From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 09:57:33 +0200
Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values
This also removes value '0' from the list of possible configurations.
This change aligns the rule better with STIG.
---
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++
.../tests/value_1.pass.sh | 10 ++++++++++
.../tests/value_2.pass.sh | 10 ++++++++++
.../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
4 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 496a8491f32..697f79fa872 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -59,4 +59,8 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
new file mode 100644
index 00000000000..516bfaf1369
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="1"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
new file mode 100644
index 00000000000..ef1b8da0479
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="2"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
index e3fc78e3f05..1eae854f6b0 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
@@ -17,5 +17,5 @@ interactive: false
options:
default: 1
- disabled: "0"
enabled: 1
+ loose: 2
From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 10:53:40 +0200
Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values
This also removes value '0' from the list of possible configurations.
This change aligns the rule better with STIG.
---
.../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++
.../sysctl_kernel_kptr_restrict_value.var | 1 -
4 files changed, 24 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 1984b3c8691..5706eee0a0a 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -42,6 +42,10 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
datatype: int
fixtext: |-
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
new file mode 100644
index 00000000000..e6efae48b25
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="1"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
new file mode 100644
index 00000000000..be3f2b743ef
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="2"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
index 452328e3efd..268550de53d 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
@@ -12,6 +12,5 @@ interactive: false
options:
default: 1
- 0: 0
1: 1
2: 2
From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 11:08:34 +0200
Subject: [PATCH 3/5] Remove variable selector that will result in error
The rule only accepts values 1 or 2 as compliant, the XCCDF Variable
cannot have the value 0, it will never result in pass.
---
.../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 -
1 file changed, 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
index b8bf965a255..cbfd9bafa91 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
@@ -13,6 +13,5 @@ interactive: false
options:
default: 2
- 0: "0"
1: "1"
2: "2"
From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 11:33:03 +0200
Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol
For now, the only STIGs I see that adopted this change were RHEL's and
OL's.
---
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 +
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 +
.../sysctl_kernel_kptr_restrict/rule.yml | 2 ++
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 +
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 +
6 files changed, 8 insertions(+)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 697f79fa872..f04ae37c13d 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -59,8 +59,10 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
+ {{% if 'ol' in product or 'rhel' in product %}}
sysctlval:
- '1'
- '2'
wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
index 516bfaf1369..583b70a3b97 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
index ef1b8da0479..ef545976dc6 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 5706eee0a0a..f53e035effa 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -42,10 +42,12 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
+ {{% if 'ol' in product or 'rhel' in product %}}
sysctlval:
- '1'
- '2'
wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
fixtext: |-
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
index e6efae48b25..70189666c16 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
index be3f2b743ef..209395fa9a1 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 14:01:40 +0200
Subject: [PATCH 5/5] Update OCIL check along with the rule
The OCIL should should mention both compliant values.
---
.../rule.yml | 29 +++++++++++++++++--
.../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++-
2 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index f04ae37c13d..4d31c6c3ebd 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -47,11 +47,36 @@ references:
stigid@rhel7: RHEL-07-040611
stigid@rhel8: RHEL-08-040285
-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
+ocil: |-
+ The runtime status of the <code>net.ipv4.conf.all.rp_filter</code> parameter can be queried
+ by running the following command:
+ <pre>$ sysctl net.ipv4.conf.all.rp_filter</pre>
+ The output of the command should indicate either:
+ <code>net.ipv4.conf.all.rp_filter = 1</code>
+ or:
+ <code>net.ipv4.conf.all.rp_filter = 2</code>
+ The output of the command should not indicate:
+ <code>net.ipv4.conf.all.rp_filter = 0</code>
+
+ The preferable way how to assure the runtime compliance is to have
+ correct persistent configuration, and rebooting the system.
+
+ The persistent sysctl parameter configuration is performed by specifying the appropriate
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+ Verify that there is not any existing incorrect configuration by executing the following command:
+ <pre>$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+ The command should not find any assignments other than:
+ net.ipv4.conf.all.rp_filter = 1
+ or:
+ net.ipv4.conf.all.rp_filter = 2
+
+ Conflicting assignments are not allowed.
+
+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"
fixtext: |-
Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.
- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}
srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index f53e035effa..367934b5672 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -34,6 +34,33 @@ references:
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
+ocil: |-
+ The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried
+ by running the following command:
+ <pre>$ sysctl kernel.kptr_restrict</pre>
+ The output of the command should indicate either:
+ <code>kernel.kptr_restrict = 1</code>
+ or:
+ <code>kernel.kptr_restrict = 2</code>
+ The output of the command should not indicate:
+ <code>kernel.kptr_restrict = 0</code>
+
+ The preferable way how to assure the runtime compliance is to have
+ correct persistent configuration, and rebooting the system.
+
+ The persistent kernel parameter configuration is performed by specifying the appropriate
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+ Verify that there is not any existing incorrect configuration by executing the following command:
+ <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+ The command should not find any assignments other than:
+ kernel.kptr_restrict = 1
+ or:
+ kernel.kptr_restrict = 2
+
+ Conflicting assignments are not allowed.
+
+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
+
srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
platform: machine
@@ -52,4 +79,4 @@ template:
fixtext: |-
Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}

1888
SOURCES/scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
View File

File diff suppressed because it is too large Load Diff

92
SOURCES/scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
View File

@ -1,92 +0,0 @@
From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Aug 2022 14:34:34 +0200
Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about
configuring queues
---
.../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index 4ce56d2e6a5..c73d9ec95a6 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -90,3 +90,20 @@ fixtext: |-
*.* @@[remoteloggingserver]:[port]"
srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.'
+
+warnings:
+ - functionality: |-
+ It is important to configure queues in case the client is sending log
+ messages to a remote server. If queues are not configured, there is a
+ danger that the system will stop functioning in case that the connection
+ to the remote server is not available. Please consult Rsyslog
+ documentation for more information about configuration of queues. The
+ example configuration which should go into <tt>/etc/rsyslog.conf</tt>
+ can look like the following lines:
+ <pre>
+ $ActionQueueType LinkedList
+ $ActionQueueFileName somenameforprefix
+ $ActionQueueMaxDiskSpace 1g
+ $ActionQueueSaveOnShutdown on
+ $ActionResumeRetryCount -1
+ </pre>
From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Tue, 9 Aug 2022 09:41:00 +0200
Subject: [PATCH 2/3] Apply suggestions from code review
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
---
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index c73d9ec95a6..706d3265a08 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -95,14 +95,14 @@ warnings:
- functionality: |-
It is important to configure queues in case the client is sending log
messages to a remote server. If queues are not configured, there is a
- danger that the system will stop functioning in case that the connection
+ the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The
example configuration which should go into <tt>/etc/rsyslog.conf</tt>
can look like the following lines:
<pre>
$ActionQueueType LinkedList
- $ActionQueueFileName somenameforprefix
+ $ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Tue, 9 Aug 2022 10:55:04 +0200
Subject: [PATCH 3/3] Update
linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
---
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index 706d3265a08..cce4d5cac1d 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
warnings:
- functionality: |-
It is important to configure queues in case the client is sending log
- messages to a remote server. If queues are not configured, there is a
+ messages to a remote server. If queues are not configured,
the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The

472
SOURCES/scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch
View File

@ -1,472 +0,0 @@
From 3fba5ec874f0269d81af9bca90e524703980345d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 14 Nov 2022 15:46:12 +0100
Subject: [PATCH 1/5] Update ocil and fixtext in fapolicy_default_deny
Rules are stored in different places depending on the system version.
These changes are now explicit in ocil and fixtext. In RHEL8.6 it was
introduced the rules.d feature and together the fagenrules script which
reads and concatenate the rules from rules.d to finally save the result
in the /etc/fapolicyd/compiled.rules file.
---
.../services/fapolicyd/fapolicy_default_deny/rule.yml | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
index 5b9a1649571..eeecd34e69a 100644
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
@@ -39,10 +39,14 @@ ocil: |-
permissive = 0
- Check that fapolicyd employs a deny-all policy on system mounts with the following command:
+ Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
+ For RHEL 8.5 systems and older:
$ sudo tail /etc/fapolicyd/fapolicyd.rules
+ For RHEL 8.6 systems and newer:
+ $ sudo tail /etc/fapolicyd/compiled.rules
+
allow exe=/usr/bin/python3.7 : ftype=text/x-python
deny_audit perm=any pattern=ld_so : all
deny perm=any all : all
@@ -54,8 +58,12 @@ fixtext: |-
permissive = 1
+ For RHEL 8.5 systems and older:
Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
+ For RHEL 8.6 systems and newer:
+ Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
+
Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
permissive = 0
From 0b4eaa7e7d96600eef42ad45524e0b4c6e003990 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 17 Nov 2022 09:40:20 +0100
Subject: [PATCH 2/5] Refactored the OVAL assessment for fapolicy_default_deny
Firsly the existing checks were aligned to the style guides and the
comments were reviewed. The regex used to identify the expected policy
was also fixed since it wasn't ensuring the deny policy if defined in a
wrong position. Finally, it was extended the assessment to consider the
/etc/fapolicyd/compiled.rules file.
---
.../fapolicy_default_deny/oval/shared.xml | 64 +++++++++++++------
1 file changed, 43 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
index 9989459ad22..40bdcf870ca 100644
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
@@ -4,36 +4,58 @@
oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
}}}
<criteria>
- <criterion comment="fapolicyd employs a deny-all policy"
- test_ref="test_fapolicy_default_deny_policy" />
- <criterion comment="fapolicyd is in enforcement mode"
- test_ref="test_fapolicy_default_deny_enforcement" />
+ <criteria operator="OR">
+ <criterion comment="fapolicyd employs a deny-all policy in compiled.rules file"
+ test_ref="test_fapolicy_default_deny_policy_with_rulesd"/>
+ <criterion comment="fapolicyd employs a deny-all policy fapolicyd.rules file"
+ test_ref="test_fapolicy_default_deny_policy_without_rulesd"/>
+ </criteria>
+ <criterion comment="fapolicyd is in enforcement mode"
+ test_ref="test_fapolicy_default_deny_enforcement"/>
</criteria>
</definition>
- <ind:textfilecontent54_test check_existence="only_one_exists" check="all"
- comment="fapolicyd employs a deny-all policy"
- id="test_fapolicy_default_deny_policy" version="1">
- <ind:object object_ref="obj_fapolicy_default_deny_policy" />
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_policy_with_rulesd" version="1"
+ check_existence="only_one_exists" check="all"
+ comment="fapolicyd employs a deny-all policy in compiled.rules file">
+ <ind:object object_ref="object_fapolicy_default_deny_policy_compiled_rules"/>
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_fapolicy_default_deny_policy" version="1">
- <ind:behaviors multiline="false" />
+
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_policy_compiled_rules"
+ version="1">
+ <ind:filepath>/etc/fapolicyd/compiled.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_policy_without_rulesd" version="2"
+ check_existence="only_one_exists" check="all"
+ comment="fapolicyd employs a deny-all policy in fapolicyd.rules file">
+ <ind:object object_ref="object_fapolicy_default_deny_policy_fapolicyd_rules"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_policy_fapolicyd_rules"
+ version="2">
<ind:filepath>/etc/fapolicyd/fapolicyd.rules</ind:filepath>
- <ind:pattern operation="pattern match">(^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_test check_existence="all_exist" check="all"
- comment="fapolicyd is in enforcement mode"
- id="test_fapolicy_default_deny_enforcement" version="1">
- <ind:object object_ref="obj_fapolicy_default_deny_enforcement" />
- <ind:state state_ref="state_fapolicy_default_deny_enforcement" />
+
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_enforcement" version="2"
+ check_existence="all_exist" check="all"
+ comment="permissive mode is disabled in fapolicyd settings">
+ <ind:object object_ref="object_fapolicy_default_deny_permissive_mode" />
+ <ind:state state_ref="state_fapolicy_default_deny_permissive_mode_off" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_fapolicy_default_deny_enforcement" version="1">
+
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_permissive_mode" version="2">
<ind:filepath>/etc/fapolicyd/fapolicyd.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*permissive\s*=\s*(\d+)</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_fapolicy_default_deny_enforcement" version="1" comment="root email alias">
- <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
- </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_state id="state_fapolicy_default_deny_permissive_mode_off" version="2"
+ comment="permissive mode value is set to 0 (off) in fapolicyd settings file">
+ <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
+ </ind:textfilecontent54_state>
</def-group>
From a0fc2ee0b58404ca642804a8977eca6b77fb6807 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 17 Nov 2022 10:32:51 +0100
Subject: [PATCH 3/5] Refactored the test scenario scripts
The scripts were invalid and wrongly reporting results. The main issue
was in scripts which intended to create two lines in a file but were
overwriting the entire file in the second command instead of append the
second line. The scripts were also refactored to consider systems using
the rules.d feature and also older systems which doesn't have the
rules.d feature. Another issue was that "no_quotes" was false by default
in the bash_shell_file_set macro, but the fapolicyd.conf doesn't expect
quotes and this was causing inconsistency in the file, so the no_quotes
was set to true when calling the macro from test scenarios. Finally the
scripts names were better aligned to their respective scenarios.
---
.../tests/allow_policy.fail.sh | 18 ++++++++++++++++++
.../tests/commented_value.fail.sh | 12 ------------
.../tests/correct_value.pass.sh | 12 ------------
.../tests/deny_not_last.fail.sh | 12 ------------
.../tests/deny_policy.pass.sh | 18 ++++++++++++++++++
.../tests/deny_policy_but_permissive.fail.sh | 16 ++++++++++++++++
.../tests/deny_policy_commented.fail.sh | 18 ++++++++++++++++++
.../tests/deny_policy_not_ensured.fail.sh | 18 ++++++++++++++++++
.../tests/fapolicy_permissive.fail.sh | 5 -----
.../tests/wrong_value.fail.sh | 11 -----------
10 files changed, 88 insertions(+), 52 deletions(-)
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
new file mode 100644
index 00000000000..23d7e699056
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+echo "allow perm=any all : all" >> $active_rules_file
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
deleted file mode 100644
index a8df835af76..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
deleted file mode 100644
index c88406b0be4..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
deleted file mode 100644
index 59b16308563..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-
-echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
new file mode 100644
index 00000000000..f3ff83ca602
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+echo "deny perm=any all : all" >> $active_rules_file
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
new file mode 100644
index 00000000000..caa401ca174
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+echo "deny perm=any all : all" >> $active_rules_file
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
new file mode 100644
index 00000000000..4e4bc430cec
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+echo "# deny perm=any all : all" >> $active_rules_file
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
new file mode 100644
index 00000000000..b52e5446afc
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "deny perm=any all : all" >> $active_rules_file
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
deleted file mode 100644
index 50756a0e7a3..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
deleted file mode 100644
index da3e33f57fd..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
From 0b731cf7a0433111311ab5e427a54d2f6c1b9d14 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 17 Nov 2022 11:02:34 +0100
Subject: [PATCH 4/5] Fixed bash_shell_file_set macro to consider spaces
Once the test scenario scripts were fixed, an issue was revelead in
bash_shell_file_set macro. The macro was not considering config files
which have spaces before and after the separator carachter. Since the
separator_regex parameter already expects regex format, it was easily
extended.
---
shared/macros/10-bash.jinja | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index ae0f0e5e6ad..0e369314645 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -122,13 +122,13 @@ fi
{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
{{% if no_quotes -%}}
{{% if "$" in value %}}
- {{% set value = '%s' % value.replace("$", "\\$") %}}
+ {{% set value = '%s' % value.replace("$", "\\$") %}}
{{% endif %}}
{{%- else -%}}
{{% if "$" in value %}}
- {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
+ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
{{% else %}}
- {{% set value = "'%s'" % value %}}
+ {{% set value = "'%s'" % value %}}
{{% endif %}}
{{%- endif -%}}
{{{ set_config_file(
@@ -140,7 +140,7 @@ fi
insert_before="^#\s*" ~ parameter,
insensitive=false,
separator="=",
- separator_regex="=",
+ separator_regex="\s*=\s*",
prefix_regex="^\s*")
}}}
{{%- endmacro -%}}
From 3a8101e921f7b0b5e261fdbf4b42bf210fcccf78 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 18 Nov 2022 09:58:47 +0100
Subject: [PATCH 5/5] Use jinja to limit the RHEL 8 minor version text
The change is intended to avoid that RHEL 9 and OL get RHEL 8 minor
version text.
---
.../guide/services/fapolicyd/fapolicy_default_deny/rule.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
index eeecd34e69a..220801bc471 100644
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
@@ -41,10 +41,12 @@ ocil: |-
Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
+ {{%- if product in ["rhel8"] %}}
For RHEL 8.5 systems and older:
$ sudo tail /etc/fapolicyd/fapolicyd.rules
For RHEL 8.6 systems and newer:
+ {{%- endif %}}
$ sudo tail /etc/fapolicyd/compiled.rules
allow exe=/usr/bin/python3.7 : ftype=text/x-python
@@ -58,10 +60,12 @@ fixtext: |-
permissive = 1
+ {{%- if product in ["rhel8"] %}}
For RHEL 8.5 systems and older:
Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
For RHEL 8.6 systems and newer:
+ {{%- endif %}}
Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.

41
SOURCES/scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch
View File

@ -1,41 +0,0 @@
From 7e2c7cc70acfdd71c64a8d9c0b6ea365a65ac1d5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Nov 2022 14:01:17 +0100
Subject: [PATCH 2/2] accounts_password: Add tests for conflicting and
duplicate values
Add tests for conflicting and duplicate values
---
.../accounts_password/tests/conflicting_values.fail.sh | 8 ++++++++
.../accounts_password/tests/duplicated_values.pass.sh | 7 +++++++
2 files changed, 15 insertions(+)
create mode 100644 shared/templates/accounts_password/tests/conflicting_values.fail.sh
create mode 100644 shared/templates/accounts_password/tests/duplicated_values.pass.sh
diff --git a/shared/templates/accounts_password/tests/conflicting_values.fail.sh b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
new file mode 100644
index 00000000000..3517ff43083
--- /dev/null
+++ b/shared/templates/accounts_password/tests/conflicting_values.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
+
+truncate -s 0 /etc/security/pwquality.conf
+
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+
+echo "{{{ VARIABLE }}} = {{{ TEST_WRONG_VALUE }}}" >> /etc/security/pwquality.conf
diff --git a/shared/templates/accounts_password/tests/duplicated_values.pass.sh b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
new file mode 100644
index 00000000000..e7b7f957d3d
--- /dev/null
+++ b/shared/templates/accounts_password/tests/duplicated_values.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}}
+
+truncate -s 0 /etc/security/pwquality.conf
+
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf
+echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf

185
SOURCES/scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch
View File

@ -1,185 +0,0 @@
From 38edb566365afd64632ad12d532ccbafcb7b422b Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Thu, 28 Jul 2022 13:51:27 -0500
Subject: [PATCH] Add OVAL to fapolicy_default_deny
Add the rule fapolicy_default_deny to OL8 STIG profile, which covers
requirement OL08-00-040137. Include tests to validate OVAL
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
.../fapolicy_default_deny/oval/shared.xml | 39 +++++++++++++++++++
.../fapolicyd/fapolicy_default_deny/rule.yml | 3 +-
.../tests/commented_value.fail.sh | 12 ++++++
.../tests/correct_value.pass.sh | 12 ++++++
.../tests/deny_not_last.fail.sh | 12 ++++++
.../tests/fapolicy_permissive.fail.sh | 5 +++
.../tests/wrong_value.fail.sh | 11 ++++++
products/ol8/profiles/stig.profile | 1 +
8 files changed, 94 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
new file mode 100644
index 00000000000..9989459ad22
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
@@ -0,0 +1,39 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{
+ oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
+ }}}
+ <criteria>
+ <criterion comment="fapolicyd employs a deny-all policy"
+ test_ref="test_fapolicy_default_deny_policy" />
+ <criterion comment="fapolicyd is in enforcement mode"
+ test_ref="test_fapolicy_default_deny_enforcement" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check_existence="only_one_exists" check="all"
+ comment="fapolicyd employs a deny-all policy"
+ id="test_fapolicy_default_deny_policy" version="1">
+ <ind:object object_ref="obj_fapolicy_default_deny_policy" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_fapolicy_default_deny_policy" version="1">
+ <ind:behaviors multiline="false" />
+ <ind:filepath>/etc/fapolicyd/fapolicyd.rules</ind:filepath>
+ <ind:pattern operation="pattern match">(^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_test check_existence="all_exist" check="all"
+ comment="fapolicyd is in enforcement mode"
+ id="test_fapolicy_default_deny_enforcement" version="1">
+ <ind:object object_ref="obj_fapolicy_default_deny_enforcement" />
+ <ind:state state_ref="state_fapolicy_default_deny_enforcement" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_fapolicy_default_deny_enforcement" version="1">
+ <ind:filepath>/etc/fapolicyd/fapolicyd.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*permissive\s*=\s*(\d+)</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_fapolicy_default_deny_enforcement" version="1" comment="root email alias">
+ <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
index e6837e5d7bd..5b9a1649571 100644
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhel9
+prodtype: ol8,ol9,rhel8,rhel9
title: 'Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.'
@@ -25,6 +25,7 @@ references:
disa: CCI-001764
nist: CM-7 (2),CM-7 (5) (b),CM-6 b
srg: SRG-OS-000368-GPOS-00154,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00232
+ stigid@ol8: OL08-00-040137
stigid@rhel8: RHEL-08-040137
ocil_clause: 'fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy'
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
new file mode 100644
index 00000000000..a8df835af76
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
+
+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
+echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..c88406b0be4
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
+
+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
+echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
new file mode 100644
index 00000000000..59b16308563
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
+
+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
+
+echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
new file mode 100644
index 00000000000..50756a0e7a3
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..da3e33f57fd
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
+
+truncate -s 0 /etc/fapolicyd/fapolicyd.rules
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
index 05f03d339e6..34a136b8489 100644
--- a/products/ol8/profiles/stig.profile
+++ b/products/ol8/profiles/stig.profile
@@ -1069,6 +1069,7 @@ selections:
- service_fapolicyd_enabled
# OL08-00-040137
+ - fapolicy_default_deny
# OL08-00-040139
- package_usbguard_installed

61
SOURCES/scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch
View File

@ -1,61 +0,0 @@
From dc37d3c376cd3f2a2178d82a928629b231662cf9 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Fri, 11 Nov 2022 12:05:28 +0100
Subject: [PATCH] Align service_disabled template to service_enabled
---
.../service_disabled/ansible.template | 32 +++++--------------
1 file changed, 8 insertions(+), 24 deletions(-)
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
index 5c70756b8af..752f6ac5099 100644
--- a/shared/templates/service_disabled/ansible.template
+++ b/shared/templates/service_disabled/ansible.template
@@ -3,39 +3,17 @@
# strategy = disable
# complexity = low
# disruption = low
-{{%- if init_system == "systemd" %}}
- name: Disable service {{{ SERVICENAME }}}
block:
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
- name: Disable service {{{ SERVICENAME }}}
- systemd:
- name: "{{{ DAEMONNAME }}}.service"
+ service:
+ name: "{{{ DAEMONNAME }}}"
enabled: "no"
state: "stopped"
masked: "yes"
- ignore_errors: 'yes'
-
-- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
- command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
- args:
- warn: False
- register: socket_file_exists
- changed_when: False
- ignore_errors: True
- check_mode: False
-
-- name: Disable socket {{{ SERVICENAME }}}
- systemd:
- name: "{{{ DAEMONNAME }}}.socket"
- enabled: "no"
- state: "stopped"
- masked: "yes"
- when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
-{{% elif init_system == "upstart" %}}
-- name: Stop {{{ SERVICENAME }}}
- command: /sbin/service '{{{ DAEMONNAME }}}' stop
-
-- name: Switch off {{{ SERVICENAME }}}
- command: /sbin/chkconfig --level 0123456 '{{{ DAEMONNAME }}}' off
-{{%- else %}}
-JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
-{{%- endif %}}
+ when:
+ - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'

217
SOURCES/scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch
View File

@ -1,217 +0,0 @@
From c27ea9d1987545488b6bca12a9dafd149331b1f9 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Fri, 11 Nov 2022 12:27:11 +0100
Subject: [PATCH 1/3] Remove deprecated warn parameter from Ansbile command
module
---
.../system/accounts/enable_authselect/ansible/shared.yml | 2 --
.../audit_rules_privileged_commands/ansible/shared.yml | 2 --
.../audit_rules_suid_privilege_function/ansible/shared.yml | 2 --
.../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 6 ------
.../rpm_verify_ownership/ansible/shared.yml | 6 ------
.../rpm_verify_permissions/ansible/shared.yml | 6 ------
.../ensure_redhat_gpgkey_installed/ansible/shared.yml | 2 --
8 files changed, 28 deletions(-)
diff --git a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
index afd658790f7..6a7324a7a64 100644
--- a/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml
@@ -17,8 +17,6 @@
cmd: rpm -qV pam
register: result_altered_authselect
ignore_errors: yes
- args:
- warn: False
when:
- result_authselect_select is failed
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
index 68c8497c859..bb1fec9e2b8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -8,8 +8,6 @@
shell: |
set -o pipefail
find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null
- args:
- warn: False
executable: /bin/bash
check_mode: no
register: find_result
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
index b25361136af..c46cbbe3950 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml
@@ -49,8 +49,6 @@
{{%- else %}} # restarting auditd through systemd doesn't work, see: https://access.redhat.com/solutions/5515011
- name: Reload Auditd
command: /usr/sbin/service auditd reload
- args:
- warn: false
{{%- endif %}}
when:
- (augenrules_audit_rules_privilege_function_update_result.changed or
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index 0241e804b30..0d66cb349c0 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -22,8 +22,6 @@
- name: "Read files with incorrect hash"
command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
- args:
- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module
register: files_with_incorrect_hash
changed_when: False
failed_when: files_with_incorrect_hash.rc > 1
@@ -32,8 +30,6 @@
- name: Create list of packages
command: rpm -qf "{{ item }}"
- args:
- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module
with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
register: list_of_packages
changed_when: False
@@ -44,8 +40,6 @@
- name: "Reinstall packages of files with incorrect hash"
command: "{{ package_manager_reinstall_cmd }} '{{ item }}'"
- args:
- warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager
with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
when:
- files_with_incorrect_hash.stdout_lines is defined
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
index ed490498a1d..f43b9bcef1c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
@@ -5,8 +5,6 @@
# disruption = medium
- name: "Read list of files with incorrect ownership"
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode
- args:
- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module
register: files_with_incorrect_ownership
failed_when: files_with_incorrect_ownership.rc > 1
changed_when: False
@@ -14,8 +12,6 @@
- name: Create list of packages
command: rpm -qf "{{ item }}"
- args:
- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module
with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
register: list_of_packages
changed_when: False
@@ -24,7 +20,5 @@
- name: "Correct file ownership with RPM"
command: "rpm --quiet --setugids '{{ item }}'"
- args:
- warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module
with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
index 419ef95a323..0bd8e7e8ad5 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
@@ -5,8 +5,6 @@
# disruption = medium
- name: "Read list of files with incorrect permissions"
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup
- args:
- warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module
register: files_with_incorrect_permissions
failed_when: files_with_incorrect_permissions.rc > 1
changed_when: False
@@ -14,8 +12,6 @@
- name: Create list of packages
command: rpm -qf "{{ item }}"
- args:
- warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module
with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
register: list_of_packages
changed_when: False
@@ -24,7 +20,5 @@
- name: "Correct file permissions with RPM"
command: "rpm --setperms '{{ item }}'"
- args:
- warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module
with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
when: (files_with_incorrect_permissions.stdout_lines | length > 0)
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index f6f590820e1..6ab9bdee767 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -18,8 +18,6 @@
{{%- else -%}}
command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
{{%- endif %}}
- args:
- warn: False
changed_when: False
register: gpg_fingerprints
check_mode: no
From 5617aa675132782d53a8714738bd2187d9b2e3ab Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Tue, 15 Nov 2022 10:00:49 +0100
Subject: [PATCH 2/3] Fix rpm_verify_* ansible remediations
---
.../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +-
.../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index 0d66cb349c0..fd850def318 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -12,7 +12,7 @@
- name: "Set fact: Package manager reinstall command (yum)"
set_fact:
package_manager_reinstall_cmd: yum reinstall -y
- when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")
+ when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "OracleLinux")
- name: "Read files with incorrect hash"
command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
index f43b9bcef1c..5c39628ff4c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
@@ -19,6 +19,6 @@
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
- name: "Correct file ownership with RPM"
- command: "rpm --quiet --setugids '{{ item }}'"
+ command: "rpm --setugids '{{ item }}'"
with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
From 957d0439e89ebe5c665aafa16e107c6611d83f6b Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Tue, 15 Nov 2022 17:20:02 +0100
Subject: [PATCH 3/3] Make rpm_verify_hashes ansible remediation applicable on
all RHELs
---
.../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index fd850def318..178a7711a54 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -1,5 +1,5 @@
# and the regex_findall does not filter out configuration files the same as bash remediation does
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# reboot = false
# strategy = restrict
# complexity = high

50
SOURCES/scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch
View File

@ -1,50 +0,0 @@
From 8c6d618070476bd81edd0524c895a3497fc902a6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Nov 2022 17:48:55 +0100
Subject: [PATCH] accounts_password_pam_retry: Add test for dupes and conflicts
Add test scenarios to ensure that conflicting values are failing
and that duplicated rule are passing.
---
.../tests/pwquality_conf_conflicting_values.fail.sh | 12 ++++++++++++
.../tests/pwquality_conf_duplicate_values.pass.sh | 12 ++++++++++++
2 files changed, 24 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
new file mode 100644
index 00000000000..16bd1171a46
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_conflicting_values.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# variables = var_password_pam_retry=3
+
+source common.sh
+
+CONF_FILE="/etc/security/pwquality.conf"
+retry_cnt=3
+
+truncate -s 0 $CONF_FILE
+
+echo "retry = 3" >> $CONF_FILE
+echo "retry = 4" >> $CONF_FILE
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
new file mode 100644
index 00000000000..da37627dbb3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_duplicate_values.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# variables = var_password_pam_retry=3
+
+source common.sh
+
+CONF_FILE="/etc/security/pwquality.conf"
+retry_cnt=3
+
+truncate -s 0 $CONF_FILE
+
+echo "retry = 3" >> $CONF_FILE
+echo "retry = 3" >> $CONF_FILE

81
SOURCES/scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch
View File

@ -1,81 +0,0 @@
From ddf34ef7c71b79ca12ccfcd00eada2c08c34d2c9 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Mon, 14 Nov 2022 17:16:53 +0100
Subject: [PATCH 1/2] Revert "Align service_disabled template to
service_enabled"
This reverts commit dc37d3c376cd3f2a2178d82a928629b231662cf9.
---
.../service_disabled/ansible.template | 32 ++++++++++++++-----
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
index 752f6ac5099..5c70756b8af 100644
--- a/shared/templates/service_disabled/ansible.template
+++ b/shared/templates/service_disabled/ansible.template
@@ -3,17 +3,33 @@
# strategy = disable
# complexity = low
# disruption = low
+{{%- if init_system == "systemd" %}}
- name: Disable service {{{ SERVICENAME }}}
block:
- - name: Gather the package facts
- package_facts:
- manager: auto
-
- name: Disable service {{{ SERVICENAME }}}
- service:
- name: "{{{ DAEMONNAME }}}"
+ systemd:
+ name: "{{{ DAEMONNAME }}}.service"
enabled: "no"
state: "stopped"
masked: "yes"
- when:
- - '"{{{ PACKAGENAME }}}" in ansible_facts.packages'
+ ignore_errors: 'yes'
+
+- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
+ command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
+ args:
+ warn: False
+ register: socket_file_exists
+ changed_when: False
+ ignore_errors: True
+ check_mode: False
+
+- name: Disable socket {{{ SERVICENAME }}}
+ systemd:
+ name: "{{{ DAEMONNAME }}}.socket"
+ enabled: "no"
+ state: "stopped"
+ masked: "yes"
+ when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
+{{%- else %}}
+JINJA TEMPLATE ERROR: Unknown init system '{{{ init_system }}}'
+{{%- endif %}}
From 8c20a2bc997c0a24eba2a9924d832954b9e91b6a Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.om>
Date: Mon, 14 Nov 2022 17:37:50 +0100
Subject: [PATCH 2/2] Make service_disabled template compatible with Ansible
2.14
---
shared/templates/service_disabled/ansible.template | 2 --
1 file changed, 2 deletions(-)
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
index 5c70756b8af..72678e050cf 100644
--- a/shared/templates/service_disabled/ansible.template
+++ b/shared/templates/service_disabled/ansible.template
@@ -16,8 +16,6 @@
- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
- args:
- warn: False
register: socket_file_exists
changed_when: False
ignore_errors: True

1739
SOURCES/scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch
View File

File diff suppressed because it is too large Load Diff

95
SOURCES/scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch
View File

@ -1,95 +0,0 @@
From 9a72c4cef2dd782e14f1534a52c45125671a828d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 14 Nov 2022 15:23:32 +0100
Subject: [PATCH 2/4] Update remediation to skip .bash_profile file
This file can have the umask content but for a different purpose than
this rule intention. It was ignored in order to avoid changing the bash
history. Ansible and Bash were updated.
---
.../accounts_umask_interactive_users/ansible/shared.yml | 4 +++-
.../accounts_umask_interactive_users/bash/shared.sh | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
index 67064ac4a3b..3586ae69cbe 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/ansible/shared.yml
@@ -9,6 +9,8 @@
cmd: |
for dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != 65534) print $6}' /etc/passwd); do
for file in $(find $dir -maxdepth 1 -type f -name ".*"); do
- sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
+ if [ "$(basename $file)" != ".bash_history" ]; then
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' $file
+ fi
done
done
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
index d5f803db313..f524ff01f9a 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/bash/shared.sh
@@ -6,6 +6,8 @@
{{% call iterate_over_command_output("dir", "awk -F':' '{ if ($3 >= " ~ uid_min ~ " && $3 != 65534) print $6}' /etc/passwd") -%}}
{{% call iterate_over_find_output("file", '$dir -maxdepth 1 -type f -name ".*"') -%}}
-sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
+if [ "$(basename $file)" != ".bash_history" ]; then
+ sed -i 's/^\([\s]*umask\s*\)/#\1/g' "$file"
+fi
{{%- endcall %}}
{{%- endcall %}}
From d0dcfc06b31d08cb42151463473ba0b211c54e6a Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 14 Nov 2022 15:26:04 +0100
Subject: [PATCH 3/4] Include test scenario to test .bash_history treatment
---
.../tests/bash_history_ignored.pass.sh | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
new file mode 100644
index 00000000000..8eeffc233b2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/tests/bash_history_ignored.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+USER="cac_user"
+useradd -m $USER
+echo "umask 022" > /home/$USER/.bash_history
From c8dc63aad4fbe6df499192eda01d66e64bc8c9c3 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 14 Nov 2022 15:27:26 +0100
Subject: [PATCH 4/4] Extend OVAL check to ignore .bash_history file
This rule targets user files where the umask can be changed. It is not the
case for .bash_history. In addition, it should be avoided to change the
.bash_history file by this rule remediations.
---
.../accounts_umask_interactive_users/oval/shared.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
index 42dbdbbae46..6f3eaa570d7 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/oval/shared.xml
@@ -29,8 +29,14 @@
<ind:filename operation="pattern match">^\..*</ind:filename>
<ind:pattern operation="pattern match">^[\s]*umask\s*</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_accounts_umask_interactive_users_bash_history</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_accounts_umask_interactive_users_bash_history"
+ version="1">
+ <ind:filename operation="pattern match">^\.bash_history</ind:filename>
+ </ind:textfilecontent54_state>
+
<!-- #### creation of test #### -->
<ind:textfilecontent54_test id="test_accounts_umask_interactive_users" check="all"
check_existence="none_exist" version="1"

352
SOURCES/scap-security-guide-0.1.65-stig_rhel8_ClientAliveCountMax-PR_9784.patch
View File

@ -1,352 +0,0 @@
From c4afa942edea4b26498dc223d4965fb722d919ed Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 13:53:14 +0100
Subject: [PATCH 1/7] RHEL8 STIG v1R8 requires ClientAliveCountMax 1
Following update from V1R8, update the STIG profile to configure
ClientAliveCountMax to 1.
This will timeout SSH connections when client alive messages are not
received within ClientAliveInterval seconds.
This serves the purpose of disconnecting sessions when the client has
become unresponsive.
---
.../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 +
.../services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 -
products/rhel8/profiles/stig.profile | 4 ++--
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index bc8ee914565..df0681f3f3a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -55,6 +55,7 @@ references:
pcidss: Req-8.1.8
srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
stigid@ol7: OL07-00-040340
+ stigid@rhel8: RHEL-08-010200
stigid@sle12: SLES-12-030191
stigid@ubuntu2004: UBTU-20-010036
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
index 024cb687382..a02fa8f40db 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -54,7 +54,6 @@ references:
stigid@ol7: OL07-00-040340
stigid@ol8: OL08-00-010200
stigid@rhel7: RHEL-07-040340
- stigid@rhel8: RHEL-08-010200
stigid@sle12: SLES-12-030191
stigid@sle15: SLES-15-010320
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 96dfbf6b203..d184957f28c 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,7 +50,7 @@ selections:
- var_password_pam_lcredit=1
- var_password_pam_retry=3
- var_password_pam_minlen=15
- # - var_sshd_set_keepalive=0
+ - var_sshd_set_keepalive=1
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
@@ -174,7 +174,7 @@ selections:
# they still need to be selected so it follows exactly what STIG
# states.
# RHEL-08-010200
- - sshd_set_keepalive_0
+ - sshd_set_keepalive
# RHEL-08-010201
- sshd_set_idle_timeout
From a9f13cdff06ce7de53420b0ca65b3a8110eae85a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 14:06:42 +0100
Subject: [PATCH 2/7] Change verbiage on keepalive rules
Stop using the 'idle', that implies an idle user; And
start using unresponsive, which better describes the state of network.
---
.../ssh/ssh_server/sshd_set_keepalive/rule.yml | 15 ++++++++-------
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 6 +++---
2 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index df0681f3f3a..7a27c134f1e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -7,14 +7,15 @@ description: |-
during a SSH session and waits for a response from the SSH client.
The option <tt>ClientAliveInterval</tt> configures timeout after
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
- receive a response from the client, then the connection is considered idle
+ receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt>
- causes an idle timeout precisely when the <tt>ClientAliveInterval</tt> is set.
+ causes a timeout precisely when the <tt>ClientAliveInterval</tt> is set.
Starting with v8.2, a value of <tt>0</tt> disables the timeout functionality
completely. If the option is set to a number greater than <tt>0</tt>, then
- the idle session will be disconnected after
- <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
+ the session will be disconnected after
+ <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds without receiving
+ a keep alive message.
rationale: |-
This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
@@ -70,8 +71,8 @@ ocil: |-
<pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
If properly configured, the output should be:
<pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
- For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes an idle timeout precisely when
+ For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes a timeout precisely when
the <tt>ClientAliveInterval</tt> is set. Starting with v8.2, a value of <tt>0</tt> disables the timeout
functionality completely.
- If the option is set to a number greater than <tt>0</tt>, then the idle session will be disconnected after
- <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
+ If the option is set to a number greater than <tt>0</tt>, then the session will be disconnected after
+ <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds witout receiving a keep alive message.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
index a02fa8f40db..55011ab66a7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -10,10 +10,10 @@ description: |-
during a SSH session and waits for a response from the SSH client.
The option <tt>ClientAliveInterval</tt> configures timeout after
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
- receive a response from the client, then the connection is considered idle
+ receive a response from the client, then the connection is considered unresponsive
and terminated.
- To ensure the SSH idle timeout occurs precisely when the
+ To ensure the SSH timeout occurs precisely when the
<tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
value of <tt>0</tt> in
{{{ sshd_config_file() }}}
@@ -73,7 +73,7 @@ ocil: |-
If properly configured, the output should be:
<pre>ClientAliveCountMax 0</pre>
- In this case, the SSH idle timeout occurs precisely when
+ In this case, the SSH timeout occurs precisely when
the <tt>ClientAliveInterval</tt> is set.
template:
From 587cec666b6379995e38a90bcd0ed86bbf4bd3e3 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 14:27:50 +0100
Subject: [PATCH 3/7] Add tests to check for configuration conflicts
---
.../sshd_set_keepalive/tests/param_conflict.fail.sh | 11 +++++++++++
.../tests/param_conflict_directory.fail.sh | 13 +++++++++++++
2 files changed, 24 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
new file mode 100644
index 00000000000..54441cbb5b6
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
+echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
new file mode 100644
index 00000000000..aa6931cc243
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf
+echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf
From d07a7f33cc5dd486d5d56ce71b90118366b68091 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 17:09:16 +0100
Subject: [PATCH 4/7] Check all instances of ClientAliveCountMax
The rule was only checking the first occurence of ClientAliveCountMax,
but we need to check that all and any occurrences of
ClientAliveCountMax are compliant.
---
.../services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
index 5e07d982821..404c36c8dbc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
@@ -49,7 +49,7 @@
<ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{%- if sshd_distributed_config == "true" %}}
<ind:textfilecontent54_test check="all" check_existence="all_exist"
From d15ebb0b563895fbc2ab85c631410ea60bd02d95 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 17:40:26 +0100
Subject: [PATCH 5/7] Add test to check for configuration conflicts
Add test for non distributed ssh config conflicts for
ClientAliveInterval.
---
.../tests/param_conflict.fail.sh | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
new file mode 100644
index 00000000000..1e14aa3da36
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config
+echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
From c19d5400bd3ded71aae9175f27361065c962069e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 17:41:19 +0100
Subject: [PATCH 6/7] Change verbiage on idle timeout rule
The config is not really about idle user timeout, the config is about
unresponsive network timeout.
---
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index aa085894f61..c5606aac557 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -1,12 +1,12 @@
documentation_complete: true
-title: 'Set SSH Idle Timeout Interval'
+title: 'Set SSH Client Alive Interval'
description: |-
- SSH allows administrators to set an idle timeout interval. After this interval
- has passed, the idle user will be automatically logged out.
+ SSH allows administrators to set a network responsiveness timeout interval.
+ After this interval has passed, the unresponsive client will be automatically logged out.
<br /><br />
- To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
+ To set this timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
follows:
<pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
<br/><br/>
@@ -15,7 +15,7 @@ description: |-
<br /><br />
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in <tt>/etc/ssh/sshd_config</tt>. Keep in mind that
- some processes may stop SSH from correctly detecting that the user is idle.
+ some processes may stop SSH from correctly detecting that the user is idle.
rationale: |-
Terminating an idle ssh session within a short time period reduces the window of
@@ -81,7 +81,7 @@ ocil: |-
warnings:
- dependency: |-
- SSH disconnecting idle clients will not have desired effect without also
+ SSH disconnecting unresponsive clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration.
- general: |-
Following conditions may prevent the SSH session to time out:
From 86b1a6147582c896e1bb49a0649493eeec37a8d4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 9 Nov 2022 11:31:50 +0100
Subject: [PATCH 7/7] Update profile stability test data
---
tests/data/profile_stability/rhel8/stig.profile | 3 ++-
tests/data/profile_stability/rhel8/stig_gui.profile | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index cadc3f5fc7a..51971451996 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -371,7 +371,7 @@ selections:
- sshd_print_last_log
- sshd_rekey_limit
- sshd_set_idle_timeout
-- sshd_set_keepalive_0
+- sshd_set_keepalive
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
@@ -441,6 +441,7 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- var_password_pam_retry=3
+- var_sshd_set_keepalive=1
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index bde4e18b068..fd150744167 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -381,7 +381,7 @@ selections:
- sshd_print_last_log
- sshd_rekey_limit
- sshd_set_idle_timeout
-- sshd_set_keepalive_0
+- sshd_set_keepalive
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
@@ -449,6 +449,7 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- var_password_pam_retry=3
+- var_sshd_set_keepalive=1
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes

142
SOURCES/scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch
View File

@ -1,142 +0,0 @@
From e4bcce25933c474cb2358411e30917d30fdf6eb7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Nov 2022 10:13:16 +0100
Subject: [PATCH 1/3] Add tests to check for RekeyLimit conflicts
---
.../sshd_rekey_limit/tests/param_conflict.fail.sh | 13 +++++++++++++
.../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++
2 files changed, 28 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
new file mode 100644
index 00000000000..0eb6aab6804
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+SSHD_PARAM="RekeyLimit"
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
new file mode 100644
index 00000000000..bc254a3a57c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+SSHD_PARAM="RekeyLimit"
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config.d/good_config.conf
+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config.d/bad_config.conf
From 2654d659b4dbe7eed9794005153ea3f147b27320 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Nov 2022 10:32:35 +0100
Subject: [PATCH 2/3] Separate the SSHD parameter from the value
Separate the SSHD paramater RekeyLimit from the compliant values.
This makes it possible to collect all occurrences of RekeyLimit and
compare each of then with the compliant values.
---
.../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index b2dd9039200..38c8a84aa3f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -24,30 +24,36 @@
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
<ind:object object_ref="obj_sshd_rekey_limit"/>
+ <ind:state state_ref="state_sshd_rekey_limit"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
<ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
- <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
{{%- if sshd_distributed_config == "true" %}}
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
<ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
+ <ind:state state_ref="state_sshd_rekey_limit"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
<ind:path>{{{ sshd_config_dir}}}</ind:path>
<ind:filename operation="pattern match">.*\.conf$</ind:filename>
- <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
{{%- endif %}}
+ <ind:textfilecontent54_state id="state_sshd_rekey_limit" version="1">
+ <ind:subexpression operation="pattern match" var_ref="sshd_line_regex" />
+ </ind:textfilecontent54_state>
+
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
<concat>
- <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
+ <literal_component>^</literal_component>
<variable_component var_ref="var_rekey_limit_size"/>
<literal_component>[\s]+</literal_component>
<variable_component var_ref="var_rekey_limit_time"/>
From f5847d8362e7331fde049f3c56f6bb4f44fb18f1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Nov 2022 10:39:45 +0100
Subject: [PATCH 3/3] Add test for duplicated SSHD parameter
Ensure the rule still passes when a parameter is defined multiple times
but have the same value.
---
.../tests/duplicated_param.pass.sh | 14 ++++++++++++++
1 file changed, 14 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
new file mode 100644
index 00000000000..2e0d8145abd
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+SSHD_PARAM="RekeyLimit"
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
+

52
SOURCES/scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch
View File

@ -1,52 +0,0 @@
From 93b9ab4f532710a8c063d7a71cbbeee26be2470b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 18:01:17 +0100
Subject: [PATCH] Add test for param conflicts for SSH compression
---
.../tests/param_conflict.fail.sh | 13 +++++++++++++
.../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++
2 files changed, 28 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
new file mode 100644
index 00000000000..a631b3207bd
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+SSHD_PARAM="Compression"
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "${SSHD_PARAM} no" >> /etc/ssh/sshd_config
+echo "${SSHD_PARAM} yes" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
new file mode 100644
index 00000000000..f1c15c139c7
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+SSHD_PARAM="Compression"
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "${SSHD_PARAM} no" > /etc/ssh/sshd_config.d/good_config.conf
+echo "${SSHD_PARAM} yes" > /etc/ssh/sshd_config.d/bad_config.conf

202
SOURCES/scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch
View File

@ -1,202 +0,0 @@
From c0320e5b1fc9257ef87956afc845fcbc579a080c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 14 Nov 2022 15:16:32 +0100
Subject: [PATCH 1/4] Add tests for sysctls in /usr/local/lib/sysctl.d
Sysctl options can also be defined in /usr/local/lib/sysctl.d/
---
.../tests/correct_value_usr_local_lib.pass.sh | 14 ++++++++++++++
.../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 14 ++++++++++++++
2 files changed, 28 insertions(+)
create mode 100644 shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
create mode 100644 shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
new file mode 100644
index 00000000000..3e366a9162f
--- /dev/null
+++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+{{% if SYSCTLVAL == "" %}}
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
+{{% endif %}}
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
+mkdir /usr/local/lib/sysctl.d/
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
new file mode 100644
index 00000000000..fee34ea272f
--- /dev/null
+++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+{{% if SYSCTLVAL == "" %}}
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
+{{% endif %}}
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
+mkdir /usr/local/lib/sysctl.d/
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf
+
+# Setting correct runtime value
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
From 81d45583b4ebd42302d9734447082afc97587ed8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 14 Nov 2022 15:19:15 +0100
Subject: [PATCH 2/4] sysctl: Check /usr/local/lib/sysctl.d for configs
Update the template so that /usr/local/lib/sysctl.d is also checked for
sysctl onfigurations.
---
shared/templates/sysctl/oval.template | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index bbe646274f6..3fe6de1c185 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -138,6 +138,8 @@
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
{{% endif %}}
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/local/lib/sysctl.d/*.conf"
+ test_ref="test_{{{ rule_id }}}_static_usr_local_lib_sysctld"/>
</criteria>
{{% if target_oval_version >= [5, 11] %}}
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />
@@ -181,6 +183,13 @@
</unix:symlink_state>
{{% endif %}}
+ <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_local_lib_sysctld" version="1"
+ check_existence="any_exist"
+ check="all"
+ comment="{{{ SYSCTLVAR }}} static configuration in /usr/local/lib/sysctl.d/*.conf" state_operator="OR">
+ {{{ state_static_sysctld("usr_local_lib_sysctld") }}}
+ </ind:textfilecontent54_test>
+
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
<object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
</local_variable>
@@ -190,7 +199,7 @@
<ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
<set>
<object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
- <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
+ <object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference>
</set>
</ind:textfilecontent54_object>
@@ -201,6 +210,13 @@
</set>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1">
+ <set>
+ <object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference>
+ <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
+ </set>
+ </ind:textfilecontent54_object>
+
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
<set>
<object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
@@ -227,6 +243,12 @@
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_{{{ rule_id }}}" version="1">
+ <ind:path>/usr/local/lib/sysctl.d</ind:path>
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+ {{{ sysctl_match() }}}
+ </ind:textfilecontent54_object>
+
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
<ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
<ind:path>/usr/lib/sysctl.d</ind:path>
From e863b901b4cca177a67dd11d40a5b4d9ce6deaba Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 14 Nov 2022 15:35:17 +0100
Subject: [PATCH 3/4] sysctl: Align Ansible and Bash remediations
The Ansible remediation for some products were not aligned with the Bash
one.
---
shared/templates/sysctl/ansible.template | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index edc4d3fb667..d67cdd2068c 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -9,12 +9,15 @@
paths:
- "/etc/sysctl.d/"
- "/run/sysctl.d/"
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
+ - "/usr/lib/sysctl.d/"
+{{% endif %}}
contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
patterns: "*.conf"
file_type: any
register: find_sysctl_d
-- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files
replace:
path: "{{ item.path }}"
regexp: '^[\s]*{{{ SYSCTLVAR }}}'
From 528715c89910afdfb0287b7f405d6849b5701ecb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 14 Nov 2022 15:36:59 +0100
Subject: [PATCH 4/4] sysctl: remove settings in /usr/local/lib/sysctl.d
Also check for sysctl configs /usr/local/lib/sysctl.d for sysctl options
and comment them out.
---
shared/templates/sysctl/ansible.template | 1 +
shared/templates/sysctl/bash.template | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index d67cdd2068c..3ac5d072fcf 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -9,6 +9,7 @@
paths:
- "/etc/sysctl.d/"
- "/run/sysctl.d/"
+ - "/usr/local/lib/sysctl.d/"
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
- "/usr/lib/sysctl.d/"
{{% endif %}}
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index 27935c33612..83f50a74a06 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -6,9 +6,9 @@
# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
{{% else %}}
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
{{% endif %}}
matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
if ! test -z "$matching_list"; then

6320
SOURCES/scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch
View File

File diff suppressed because one or more lines are too long

83
SOURCES/scap-security-guide-0.1.66-map_stig_rhel_08_040400-PR_9878.patch
View File

@ -1,83 +0,0 @@
From fae75e8f00cf5de18c4c1813d94987e848f14233 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 24 Nov 2022 14:40:15 +0100
Subject: [PATCH] Map selinux_user_login_roles to RHEL-08-040400
This STIG ID is a new addition in DISA RHEL8 STIG V1R8
---
.../guide/system/selinux/selinux_user_login_roles/rule.yml | 2 ++
products/rhel8/profiles/stig.profile | 3 +++
shared/references/cce-redhat-avail.txt | 1 -
tests/data/profile_stability/rhel8/stig.profile | 1 +
tests/data/profile_stability/rhel8/stig_gui.profile | 1 +
5 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
index 053d4341bbd..d4c211c1062 100644
--- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
@@ -34,6 +34,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80543-2
+ cce@rhel8: CCE-86353-0
references:
disa: CCI-002165,CCI-002235
@@ -41,6 +42,7 @@ references:
stigid@ol7: OL07-00-020020
stigid@ol8: OL08-00-040400
stigid@rhel7: RHEL-07-020020
+ stigid@rhel8: RHEL-08-040400
ocil_clause: 'non-admin users are not confined correctly'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index d184957f28c..fe699f34beb 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1207,5 +1207,8 @@ selections:
# RHEL-08-040390
- package_tuned_removed
+ # RHEL-08-040400
+ - selinux_user_login_roles
+
# RHEL-08-010163
- package_krb5-server_removed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index d2fcd6421e1..9575ecac8c9 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -210,7 +210,6 @@ CCE-86343-1
CCE-86347-2
CCE-86351-4
CCE-86352-2
-CCE-86353-0
CCE-86355-5
CCE-86357-1
CCE-86358-9
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 51971451996..6ddf29e7bfe 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -343,6 +343,7 @@ selections:
- security_patches_up_to_date
- selinux_policytype
- selinux_state
+- selinux_user_login_roles
- service_auditd_enabled
- service_autofs_disabled
- service_debug-shell_disabled
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index fd150744167..fb8f5602dac 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -353,6 +353,7 @@ selections:
- security_patches_up_to_date
- selinux_policytype
- selinux_state
+- selinux_user_login_roles
- service_auditd_enabled
- service_autofs_disabled
- service_debug-shell_disabled

106
SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch Normal file
View File

@ -0,0 +1,106 @@
From f9a787045807d22b0bca3d028f265cb6f87f681c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 7 Feb 2023 10:53:18 +0100
Subject: [PATCH 4/5] Change custom zones check in firewalld_sshd_port_enabled
Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
Patch-status: Change custom zones check in firewalld_sshd_port_enabled
---
.../oval/shared.xml | 68 +++++++++++++++----
1 file changed, 54 insertions(+), 14 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
index 4adef2e53f..d7c96665b4 100644
--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
@@ -133,9 +133,10 @@
OVAL resources in order to detect and assess only active zone, which are zones with at
least one NIC assigned to it. Since it was possible to easily have the list of active
zones, it was cumbersome to use that list in other OVAL objects without introduce a high
- level of complexity to make sure environments with multiple NICs and multiple zones are
- in use. So, in favor of simplicity and readbility it was decided to work with a static
- list. It means that, in the future, it is possible this list needs to be updated. -->
+ level of complexity to ensure proper assessment in environments where multiple NICs and
+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to
+ work with a static list. It means that, in the future, it is possible this list needs to
+ be updated. -->
<local_variable id="var_firewalld_sshd_port_enabled_default_zones" version="1"
datatype="string"
comment="Regex containing the list of zones files delivered in the firewalld package">
@@ -145,23 +146,62 @@
<!-- If any default zone is modified by the administrator, the respective zone file is placed
in the /etc/firewalld/zones dir in order to override the default zone settings. The same
directory is applicable for new zones created by the administrator. Therefore, all files
- in this directory should also allow SSH. -->
- <ind:xmlfilecontent_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
+ in this directory should also allow SSH.
+ This test was updated in a reaction to https://github.com/OpenSCAP/openscap/issues/1923,
+ which changed the behaviour of xmlfilecontent probe in OpenSCAP 1.3.7. Currently, a
+ variable test is the simplest way to check if all custom zones are allowing ssh, but have
+ an impact in transparency since the objects are not shown in reports. The transparency
+ impact can be workarounded by using other OVAL objects, but this would impact in
+ readability and would increase complexity. This solution is in favor of simplicity. -->
+ <ind:variable_test id="test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc"
check="all" check_existence="at_least_one_exists" version="1"
comment="SSH service is defined in all zones created or modified by the administrator">
- <ind:object object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
- <ind:state state_ref="state_firewalld_sshd_port_enabled_zone_files_etc"/>
- </ind:xmlfilecontent_test>
+ <ind:object
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"/>
+ <ind:state state_ref="state_firewalld_sshd_port_enabled_custom_zone_files_count"/>
+ </ind:variable_test>
+
+ <ind:variable_object id="object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
+ version="1">
+ <ind:var_ref>var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count"
+ datatype="int" version="1"
+ comment="Variable including number of custom zone files allowing ssh">
+ <count>
+ <object_component item_field="filepath"
+ object_ref="object_firewalld_sshd_port_enabled_zone_files_etc"/>
+ </count>
+ </local_variable>
<ind:xmlfilecontent_object id="object_firewalld_sshd_port_enabled_zone_files_etc" version="1">
- <ind:path>/etc/firewalld/zones</ind:path>
- <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
+ <ind:path>/etc/firewalld/zones</ind:path>
+ <ind:filename operation="pattern match">^.*\.xml$</ind:filename>
+ <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
</ind:xmlfilecontent_object>
- <ind:xmlfilecontent_state id="state_firewalld_sshd_port_enabled_zone_files_etc" version="1">
- <ind:xpath>/zone/service[@name='ssh']</ind:xpath>
- </ind:xmlfilecontent_state>
+ <ind:variable_state id="state_firewalld_sshd_port_enabled_custom_zone_files_count"
+ version="1">
+ <ind:value datatype="int" operation="equals" var_check="at least one"
+ var_ref="var_firewalld_sshd_port_enabled_custom_zone_files_count"/>
+ </ind:variable_state>
+
+ <local_variable id="var_firewalld_sshd_port_enabled_custom_zone_files_count"
+ datatype="int" version="1"
+ comment="Variable including number of custom zone files present in /etc/firewalld/zones">
+ <count>
+ <object_component item_field="filepath"
+ object_ref="object_firewalld_sshd_port_enabled_custom_zone_files"/>
+ </count>
+ </local_variable>
+
+ <unix:file_object id="object_firewalld_sshd_port_enabled_custom_zone_files" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1"
+ recurse_file_system="local"/>
+ <unix:path>/etc/firewalld/zones</unix:path>
+ <unix:filename operation="pattern match">^.*\.xml$</unix:filename>
+ </unix:file_object>
<!-- SSH service is configured as expected -->
<!-- The firewalld package brings many services already defined out-of-box, including SSH.
--
2.39.1

122
SOURCES/scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch Normal file
View File

@ -0,0 +1,122 @@
From a8236abf709c577152cb96876fcc27c8cf173e66 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Feb 2023 14:42:32 +0100
Subject: [PATCH 5/5] Accept required and requisite control flag for
pam_pwhistory
Patch-name: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
Patch-status: Accept required and requisite control flag for pam_pwhistory
---
controls/cis_rhel8.yml | 2 +-
controls/cis_rhel9.yml | 2 +-
controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml | 2 +-
.../rule.yml | 4 ++++
.../var_password_pam_remember_control_flag.var | 1 +
products/rhel8/profiles/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
8 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index c0406f97b8..efc53d03fd 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2267,7 +2267,7 @@ controls:
rules:
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_password_pam_remember=5
- id: 5.5.4
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
index 7299a39528..30f7e8d182 100644
--- a/controls/cis_rhel9.yml
+++ b/controls/cis_rhel9.yml
@@ -2112,7 +2112,7 @@ controls:
rules:
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_password_pam_remember=5
- id: 5.5.4
diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
index 1e8286a4a4..b02b7da419 100644
--- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
+++ b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml
@@ -5,7 +5,7 @@ controls:
title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations.
rules:
- var_password_pam_remember=5
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
status: automated
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
index c549de2e96..d2b220ef9f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -129,3 +129,7 @@ warnings:
Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly
enable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
+ If a custom profile was created and used in the system before this authselect feature was
+ available, the new feature can't be used with this custom profile and the
+ remediation will fail. In this case, the custom profile should be recreated or manually
+ updated.
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
index 8f01007550..1959936c04 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember_control_flag.var
@@ -20,4 +20,5 @@ options:
"sufficient": "sufficient"
"binding": "binding"
"ol8": "required,requisite"
+ "requisite_or_required": "requisite,required"
default: "requisite"
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 8c64868619..a3f7dc9720 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -37,7 +37,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
- - var_password_pam_remember_control_flag=requisite
+ - var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 6970a32b4f..5d694c6ae1 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -433,7 +433,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
-- var_password_pam_remember_control_flag=requisite
+- var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 314f14e4f6..e165525b90 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -441,7 +441,7 @@ selections:
- var_accounts_minimum_age_login_defs=1
- var_accounts_max_concurrent_login_sessions=10
- var_password_pam_remember=5
-- var_password_pam_remember_control_flag=requisite
+- var_password_pam_remember_control_flag=requisite_or_required
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- var_password_pam_unix_rounds=5000
--
2.39.1

147
SOURCES/scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch Normal file
View File

@ -0,0 +1,147 @@
From 775dec7b479f9fa900fa46d174b202efc14407fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 13 Feb 2023 11:14:40 +0100
Subject: [PATCH 6/6] remove rule logind_session_timeout and associated
variable from profiles
Patch-name: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
Patch-status: remove rule logind_session_timeout and associated variable from profiles
---
controls/anssi.yml | 2 --
products/rhel8/profiles/cjis.profile | 2 --
products/rhel8/profiles/ospp.profile | 2 --
products/rhel8/profiles/pci-dss.profile | 2 --
products/rhel8/profiles/rht-ccp.profile | 2 --
tests/data/profile_stability/rhel8/ospp.profile | 2 --
tests/data/profile_stability/rhel8/pci-dss.profile | 2 --
7 files changed, 14 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 607ce976ef..9e631d1de4 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -676,8 +676,6 @@ controls:
- var_accounts_tmout=10_min
- sshd_set_idle_timeout
- sshd_idle_timeout_value=10_minutes
- - logind_session_timeout
- - var_logind_session_timeout=10_minutes
- sshd_set_keepalive
- id: R30
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index f60b65bc06..18394802b9 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -104,7 +104,6 @@ selections:
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
- - logind_session_timeout
- sshd_set_keepalive_0
- disable_host_auth
- sshd_disable_root_login
@@ -120,7 +119,6 @@ selections:
- set_firewalld_default_zone
- firewalld_sshd_port_enabled
- sshd_idle_timeout_value=30_minutes
- - var_logind_session_timeout=30_minutes
- inactivity_timeout_value=30_minutes
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_tcp_syncookies
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 0fe17b2085..fb46ab4c0c 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -300,8 +300,6 @@ selections:
## We deliberately set sshd timeout to 1 minute before tmux lock timeout
- sshd_idle_timeout_value=14_minutes
- sshd_set_idle_timeout
- - logind_session_timeout
- - var_logind_session_timeout=14_minutes
## Disable Unauthenticated Login (such as Guest Accounts)
## FIA_UAU.1
diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile
index c63c5f4a07..c0c9b12773 100644
--- a/products/rhel8/profiles/pci-dss.profile
+++ b/products/rhel8/profiles/pci-dss.profile
@@ -17,7 +17,6 @@ selections:
- var_accounts_passwords_pam_faillock_deny=6
- var_accounts_passwords_pam_faillock_unlock_time=1800
- sshd_idle_timeout_value=15_minutes
- - var_logind_session_timeout=15_minutes
- var_password_pam_minlen=7
- var_password_pam_minclass=2
- var_accounts_maximum_age_login_defs=90
@@ -110,7 +109,6 @@ selections:
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
- sshd_set_idle_timeout
- - logind_session_timeout
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- accounts_password_pam_minlen
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index 0a00d2f46b..775727e885 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -12,7 +12,6 @@ selections:
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- sshd_idle_timeout_value=5_minutes
- - var_logind_session_timeout=5_minutes
- var_accounts_minimum_age_login_defs=7
- var_accounts_passwords_pam_faillock_deny=5
- var_accounts_password_warn_age_login_defs=7
@@ -89,7 +88,6 @@ selections:
- package_telnet_removed
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- - logind_session_timeout
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- disable_host_auth
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index a31f3245d8..267b66a4f8 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -104,7 +104,6 @@ selections:
- kernel_module_firewire-core_disabled
- kernel_module_sctp_disabled
- kernel_module_tipc_disabled
-- logind_session_timeout
- mount_option_boot_nodev
- mount_option_boot_nosuid
- mount_option_dev_shm_nodev
@@ -254,7 +253,6 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- sshd_idle_timeout_value=14_minutes
-- var_logind_session_timeout=14_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
index 5c77ea6a85..902d0084fc 100644
--- a/tests/data/profile_stability/rhel8/pci-dss.profile
+++ b/tests/data/profile_stability/rhel8/pci-dss.profile
@@ -109,7 +109,6 @@ selections:
- gid_passwd_group_same
- grub2_audit_argument
- install_hids
-- logind_session_timeout
- no_empty_passwords
- package_aide_installed
- package_audispd-plugins_installed
@@ -137,7 +136,6 @@ selections:
- var_accounts_passwords_pam_faillock_deny=6
- var_accounts_passwords_pam_faillock_unlock_time=1800
- sshd_idle_timeout_value=15_minutes
-- var_logind_session_timeout=15_minutes
- var_password_pam_minlen=7
- var_password_pam_minclass=2
- var_accounts_maximum_age_login_defs=90
--
2.39.1

3148
SOURCES/scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1950
SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch Normal file
View File

File diff suppressed because it is too large Load Diff

68
SPECS/scap-security-guide.spec
View File

@ -5,8 +5,8 @@
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
Version: 0.1.63
Release: 5%{?dist}
Version: 0.1.66
Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -14,45 +14,21 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2
# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
# Rsyslog files rules remediations
Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
# Extends rsyslog_logfiles_attributes_modify template for permissions
Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch
# Change custom zones check in firewalld_sshd_port_enabled
Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch
# Accept required and requisite control flag for pam_pwhistory
Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch
# remove rule logind_session_timeout and associated variable from profiles
Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch
BuildArch: noarch
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
Patch2: scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
Patch3: scap-security-guide-0.1.64-stig_aide-PR_9282.patch
Patch4: scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
Patch5: scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
Patch6: scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
Patch7: scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
Patch8: scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
Patch9: scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
Patch10: scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
Patch11: scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
Patch12: scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
Patch13: scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
Patch14: scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
Patch15: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
Patch16: scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
Patch17: scap-security-guide-0.1.64-sshd_ciphers_regex-PR_9486.patch
Patch18: scap-security-guide-0.1.65-update_rhel8_stig_to_v1r8-PR_9780.patch
Patch19: scap-security-guide-0.1.65-stig_rhel8_sshd_disable_compression-PR_9798.patch
Patch20: scap-security-guide-0.1.65-stig_rhel8_ClientAliveCountMax-PR_9784.patch
Patch21: scap-security-guide-0.1.65-pam_retry_conflicts_and_duplicates-PR_9805.patch
Patch22: scap-security-guide-0.1.65-accounts_passwords_conflicts_and_duplicates-PR_9804.patch
Patch23: scap-security-guide-0.1.65-stig_rhel8_rekeylimit-PR_9800.patch
Patch24: scap-security-guide-0.1.65-sysctl_usr_local_lib_sysctl.d-PR_9818.patch
Patch25: scap-security-guide-0.1.65-add_fapolicy_default_deny-PR_9278.patch
Patch26: scap-security-guide-0.1.65-rhel8_stig_v1r8_RHEL_08_020352-PR_9816.patch
Patch27: scap-security-guide-0.1.65-RHEL_08_040137_v1r8-PR_9817.patch
Patch28: scap-security-guide-0.1.66-map_stig_rhel_08_040400-PR_9878.patch
Patch29: scap-security-guide-0.1.64-add_warning_ip_forwarding-PR_9555.patch
Patch30: scap-security-guide-0.1.65-refactor_firewalld_sshd_port_enabled-PR_9712.patch
Patch31: scap-security-guide-0.1.65-ansible214_compatibility-PR_9807.patch
Patch32: scap-security-guide-0.1.65-align_ansible_services_template-PR_9806.patch
Patch33: scap-security-guide-0.1.65-realign_ansible_services_without_warn-PR_9819.patch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
@ -156,6 +132,22 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%endif
%changelog
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
- Unselect rule logind_session_timeout (RHBZ#2158404)
* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
- Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
- Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
- Fix levels of CIS rules (RHBZ#2162803)
- Remove unused RHEL8 STIG control file (RHBZ#2156192)
- Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
- Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
- Add rule for audit immutable login uids (RHBZ#2151553)
- Fix remediation of audit watch rules (RHBZ#2119356)
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
- Fix applicability of kerberos rules (RHBZ#2099394)
- Add support rainer scripts in rsyslog rules (RHBZ#2072444)
* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)