import scap-security-guide-0.1.50-6.el8

This commit is contained in:
CentOS Sources 2020-07-28 05:13:13 -04:00 committed by Stepan Oksanichenko
parent 7c9bce9777
commit 82da654d43
17 changed files with 2524 additions and 251 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/scap-security-guide-0.1.47.tar.bz2
SOURCES/scap-security-guide-0.1.50.tar.bz2

View File

@ -1 +1 @@
4459787cf5bceb48e0743b84057196206e999ca4 SOURCES/scap-security-guide-0.1.47.tar.bz2
1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2

View File

@ -1,34 +1,36 @@
From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 17 Dec 2018 13:30:06 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8.
From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 17 Jan 2020 19:01:22 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
They raise too many errors and fails.
Also disable tables for profiles that are not built.
---
rhel8/CMakeLists.txt | 3 ++-
rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/cui.profile | 2 +-
rhel8/profiles/hipaa.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
rhel8/profiles/standard.profile | 2 +-
6 files changed, 7 insertions(+), 6 deletions(-)
rhel8/CMakeLists.txt | 2 --
rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/cui.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
rhel8/profiles/standard.profile | 2 +-
9 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index 99bccbed7..77f8ccaec 100644
index 40f2b2b0f..492a8dae1 100644
--- a/rhel8/CMakeLists.txt
+++ b/rhel8/CMakeLists.txt
@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
+# Standard profile is disabled for RHEL8 as it is not in good shape
+#ssg_build_html_nistrefs_table(${PRODUCT} "standard")
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
# Uncomment when anssi profiles are marked documentation_complete: true
#ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal")
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index a7f8c0b16..c460793be 100644
index 05ea9cdd6..9c55ac5b1 100644
--- a/rhel8/profiles/cjis.profile
+++ b/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -47,18 +49,28 @@ index eb62252a4..e8f369708 100644
title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
index feb98007c..0667f65ed 100644
--- a/rhel8/profiles/hipaa.profile
+++ b/rhel8/profiles/hipaa.profile
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile
+++ b/rhel8/profiles/rhelh-stig.profile
@@ -1,4 +1,4 @@
-documentation_complete: True
-documentation_complete: true
+documentation_complete: false
title: 'Health Insurance Portability and Accountability Act (HIPAA)'
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
index 2baee6d66..8592d7aaf 100644
--- a/rhel8/profiles/rhelh-vpp.profile
+++ b/rhel8/profiles/rhelh-vpp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
index 023663b21..8b22bc711 100644
index c84579592..164ec98c4 100644
--- a/rhel8/profiles/rht-ccp.profile
+++ b/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -78,5 +90,5 @@ index a63ae2cf3..da669bb84 100644
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
2.19.2
2.21.1

View File

@ -1,60 +0,0 @@
From 5f4e807cb6e54744ad69cd1e7d622c85ae4e8803 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 21 Nov 2019 16:28:23 +0100
Subject: [PATCH 1/2] Updated the e8 profile for RHEL8.
- removed obsolete SSHD settings.
- added rules for crypto policies.
---
rhel8/profiles/e8.profile | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
index 53b4c156e2..f0f19a4708 100644
--- a/rhel8/profiles/e8.profile
+++ b/rhel8/profiles/e8.profile
@@ -123,14 +123,16 @@ selections:
- sshd_print_last_log
- sshd_use_priv_separation
- sshd_do_not_permit_user_env
- - sshd_disable_rhosts_rsa
- sshd_disable_rhosts
- - sshd_allow_only_protocol2
- sshd_set_loglevel_info
- sshd_disable_empty_passwords
- sshd_disable_user_known_hosts
- sshd_enable_strictmodes
+ - var_system_crypto_policy=default
+ - configure_crypto_policy
+ - configure_ssh_crypto_policy
+
### Application whitelisting
- package_fapolicyd_installed
- service_fapolicyd_enabled
From 659326a1d4db99dc30c4807b5b5ce4c97db37709 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 25 Nov 2019 16:42:37 +0100
Subject: [PATCH 2/2] Update the crypto policy and rationale.
---
rhel8/profiles/e8.profile | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
index f0f19a4708..f78e908482 100644
--- a/rhel8/profiles/e8.profile
+++ b/rhel8/profiles/e8.profile
@@ -129,7 +129,10 @@ selections:
- sshd_disable_user_known_hosts
- sshd_enable_strictmodes
- - var_system_crypto_policy=default
+ # The E8 profile bans usage of SHA-1, and as of 11/2019 the FUTURE crypto policy is the only one that ensures this.
+ # TODO: Re-evaluate after another crypto policies become available.
+ # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography
+ - var_system_crypto_policy=future
- configure_crypto_policy
- configure_ssh_crypto_policy

View File

@ -0,0 +1,71 @@
From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 08:17:20 +0200
Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated
---
.../ansible/shared.yml | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
new file mode 100644
index 0000000000..5d76b3c073
--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml
@@ -0,0 +1,33 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: Configure daily log rotation in /etc/logrotate.conf
+ lineinfile:
+ create: yes
+ dest: "/etc/logrotate.conf"
+ regexp: "^daily$"
+ line: "daily"
+
+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
+ lineinfile:
+ create: no
+ dest: "/etc/logrotate.conf"
+ regexp: "^(weekly|monthly|yearly)$"
+ state: absent
+
+- name: Configure cron.daily if not already
+ block:
+ - name: Add shebang
+ lineinfile:
+ path: "/etc/cron.daily/logrotate"
+ line: "#!/bin/sh"
+ insertbefore: BOF
+ create: yes
+ - name: Add logrotate call
+ lineinfile:
+ path: "/etc/cron.daily/logrotate"
+ line: '/usr/sbin/logrotate /etc/logrotate.conf'
+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$'
From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 12 May 2020 14:48:15 +0200
Subject: [PATCH 2/2] Add test for ensure_logrotate_activated
Test scenario when monthly is there, but weekly is not.
---
.../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
new file mode 100644
index 0000000000..b10362989b
--- /dev/null
+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed -i "s/weekly/daily/g" /etc/logrotate.conf
+echo "monthly" >> /etc/logrotate.conf

View File

@ -0,0 +1,115 @@
From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 May 2020 20:49:08 +0200
Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
---
.../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
2 files changed, 22 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..a816eea390
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
+ else
+ echo "MaxSessions 4" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..b36125f5bb
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
@@ -0,0 +1,11 @@
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = Red Hat Enterprise Linux 8
+
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
+ else
+ echo "MaxSessions 10" >> $SSHD_CONFIG
+fi
From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 May 2020 20:53:50 +0200
Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
---
.../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
.../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
.../tests/correct_value.pass.sh | 2 +-
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
4 files changed, 22 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
new file mode 100644
index 0000000000..a7e171dfe9
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+- (xccdf-var var_sshd_max_sessions)
+
+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
new file mode 100644
index 0000000000..fc0a1d8b42
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_sshd_max_sessions
+
+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
index a816eea390..4cc6d65988 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q "^MaxSessions" $SSHD_CONFIG; then
sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
else
- echo "MaxSessions 4" >> $SSHD_CONFIG
+ echo "MaxSessions 4" >> $SSHD_CONFIG
fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
index b36125f5bb..bc0c47842a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
if grep -q "^MaxSessions" $SSHD_CONFIG; then
sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
else
- echo "MaxSessions 10" >> $SSHD_CONFIG
+ echo "MaxSessions 10" >> $SSHD_CONFIG
fi

View File

@ -0,0 +1,147 @@
From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 11:52:35 +0200
Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line
Very likey a copy-pasta error from bash remediation for
audit_rules_immutable
---
.../audit_rules_system_shutdown/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
index 1c9748ce9b..b56513cdcd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
@@ -8,7 +8,7 @@
# files to check if '-f .*' setting is present in that '*.rules' file already.
# If found, delete such occurrence since auditctl(8) manual page instructs the
# '-f 2' rule should be placed as the last rule in the configuration
-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
# Append '-f 2' requirement at the end of both:
# * /etc/audit/audit.rules file (for auditctl case)
From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 12:12:21 +0200
Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown
Along with very basic test scenarios
---
.../ansible/shared.yml | 28 +++++++++++++++++++
.../tests/augen_correct.pass.sh | 4 +++
.../tests/augen_e_2_immutable.fail.sh | 3 ++
3 files changed, 35 insertions(+)
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
new file mode 100644
index 0000000000..b9e8fa87fa
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml
@@ -0,0 +1,28 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Collect all files from /etc/audit/rules.d with .rules extension
+ find:
+ paths: "/etc/audit/rules.d/"
+ patterns: "*.rules"
+ register: find_rules_d
+
+- name: Remove the -f option from all Audit config files
+ lineinfile:
+ path: "{{ item }}"
+ regexp: '^\s*(?:-f)\s+.*$'
+ state: absent
+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
+
+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+ lineinfile:
+ path: "{{ item }}"
+ create: True
+ line: "-f 2"
+ loop:
+ - "/etc/audit/audit.rules"
+ - "/etc/audit/rules.d/immutable.rules"
+
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
new file mode 100644
index 0000000000..0587b937e0
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
+echo "-f 2" >> /etc/audit/rules.d/immutable.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
new file mode 100644
index 0000000000..fa5b7231df
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "-e 2" > /etc/audit/rules.d/immutable.rules
From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 14:06:08 +0200
Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name
---
.../audit_rules_immutable/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
index 5ac7b3dabb..1cafb744cc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml
@@ -17,7 +17,7 @@
state: absent
loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}"
-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
lineinfile:
path: "{{ item }}"
create: True
From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 19 May 2020 11:02:56 +0200
Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix
---
.../audit_rules_system_shutdown/bash/shared.sh | 8 --------
1 file changed, 8 deletions(-)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
index b56513cdcd..a349bb1ca1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh
@@ -4,16 +4,8 @@
#
# /etc/audit/audit.rules, (for auditctl case)
# /etc/audit/rules.d/*.rules (for augenrules case)
-#
-# files to check if '-f .*' setting is present in that '*.rules' file already.
-# If found, delete such occurrence since auditctl(8) manual page instructs the
-# '-f 2' rule should be placed as the last rule in the configuration
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';'
-# Append '-f 2' requirement at the end of both:
-# * /etc/audit/audit.rules file (for auditctl case)
-# * /etc/audit/rules.d/immutable.rules (for augenrules case)
-
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
do
echo '' >> $AUDIT_FILE

View File

@ -0,0 +1,49 @@
From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 21 May 2020 18:16:43 +0200
Subject: [PATCH] Attribute content to CIS
And update the description a bit.
---
rhel7/profiles/cis.profile | 8 +++++---
rhel8/profiles/cis.profile | 8 +++++---
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 0826a49547..829c388133 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -3,9 +3,11 @@ documentation_complete: true
title: 'CIS Red Hat Enterprise Linux 7 Benchmark'
description: |-
- This baseline aligns to the Center for Internet Security
- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released
- 12-27-2017.
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content.
selections:
# Necessary for dconf rules
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
index f332ee5462..868b9f21a6 100644
--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
@@ -3,9 +3,11 @@ documentation_complete: true
title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
description: |-
- This baseline aligns to the Center for Internet Security
- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released
- 09-30-2019.
+ This profile defines a baseline that aligns to the Center for Internet Security®
+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
+
+ This profile includes Center for Internet Security®
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
selections:
# Necessary for dconf rules

View File

@ -1,26 +1,24 @@
From 3cf5caec6f0705d24bc3f285e19d1831714bca16 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 13 Nov 2019 18:05:32 +0100
Subject: [PATCH 1/4] Add simple kickstart file for e8 profiles
From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 25 May 2020 12:17:48 +0200
Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
As the profile doesn't require a particular disk partition layout, I
went for the 'autopart' feature.
---
rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 122 ++++++++++++++++++++++++++++
rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 122 ++++++++++++++++++++++++++++
2 files changed, 244 insertions(+)
create mode 100644 rhel7/kickstart/ssg-rhel7-e8-ks.cfg
create mode 100644 rhel8/kickstart/ssg-rhel8-e8-ks.cfg
rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
2 files changed, 250 insertions(+)
create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
new file mode 100644
index 0000000000..9e44a87a86
index 0000000000..14c82c4231
--- /dev/null
+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
@@ -0,0 +1,122 @@
+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 7 Server
+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
+# Version: 0.0.1
+# Date: 2019-11-13
+# Date: 2020-05-25
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
@ -115,7 +113,7 @@ index 0000000000..9e44a87a86
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
@ -124,9 +122,12 @@ index 0000000000..9e44a87a86
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see command %addon org_fedora_oscap in
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_e8
+ profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
@ -140,19 +141,19 @@ index 0000000000..9e44a87a86
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
new file mode 100644
index 0000000000..3555f528cb
index 0000000000..861db36f18
--- /dev/null
+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
@@ -0,0 +1,122 @@
+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server
+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
@@ -0,0 +1,125 @@
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2019-11-13
+# Date: 2020-05-25
+#
+# Based on:
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Install a fresh new system (optional)
+install
@ -220,143 +221,54 @@ index 0000000000..3555f528cb
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# --enableshadow enable shadowed passwords by default
+# --passalgo hash / crypt algorithm for new passwords
+# See the manual page for authconfig for a complete list of possible options.
+authconfig --enableshadow --passalgo=sha512
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_e8
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
From 94249bce4b61c33e52f59efdb112e2082b4acf46 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 Nov 2019 11:19:51 +0100
Subject: [PATCH 2/4] Use authselect for el8 kickstart
auth and authconfig are deprecated
---
rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
index 3555f528cb..e814024e2e 100644
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
@@ -72,10 +72,10 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
firewall --enabled --ssh
# Set up the authentication options for the system (required)
-# --enableshadow enable shadowed passwords by default
-# --passalgo hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
# State of SELinux on the installed system (optional)
# Defaults to enforcing
From 1ff6ab4ec0449074c4608eed0194903123eda34b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 Nov 2019 11:22:31 +0100
Subject: [PATCH 3/4] Updated kickstart documenation link for el8
---
rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
index e814024e2e..41d4b3d654 100644
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
@@ -4,7 +4,7 @@
#
# Based on:
# http://fedoraproject.org/wiki/Anaconda/Kickstart
-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
# Install a fresh new system (optional)
install
From ef5edccc3ec58131644f31481ec3df20ab345229 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 18 Nov 2019 13:31:18 +0100
Subject: [PATCH 4/4] Add link to oscap-anaconda-addon documentation
---
rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 3 +++
rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 3 +++
2 files changed, 6 insertions(+)
diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
index 9e44a87a86..23f1bad7e1 100644
--- a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
@@ -104,6 +104,9 @@ clearpart --linux --initlabel
# Create primary system partitions (required for installs)
autopart
+# Harden installation with Essential Eight profile
+# For more details and configuration options see command %addon org_fedora_oscap in
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_e8
diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
index 41d4b3d654..8380ea13a3 100644
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
@@ -104,6 +104,9 @@ clearpart --linux --initlabel
# Create primary system partitions (required for installs)
autopart
+# Harden installation with Essential Eight profile
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with HIPAA profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_e8
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_hipaa
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

View File

@ -0,0 +1,76 @@
From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 22 May 2020 14:12:18 +0200
Subject: [PATCH] Add missing CCEs for RHEL8
---
.../password_storage/no_netrc_files/rule.yml | 1 +
.../accounts_user_interactive_home_directory_exists/rule.yml | 1 +
.../file_groupownership_home_directories/rule.yml | 1 +
shared/references/cce-redhat-avail.txt | 3 ---
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
index 8547893201..1bd1f5742e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml
@@ -18,6 +18,7 @@ severity: medium
identifiers:
cce@rhel6: 27225-2
cce@rhel7: 80211-6
+ cce@rhel8: 83444-0
cce@ocp4: 82667-7
references:
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
index bedf3a0b19..e69bc9d736 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -21,6 +21,7 @@ severity: medium
identifiers:
cce@rhel7: 80529-1
+ cce@rhel8: 83424-2
references:
stigid@ol7: "020620"
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 1c5ac8d099..f931f6d160 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: 80532-5
+ cce@rhel8: 83434-1
references:
stigid@ol7: "020650"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 2f0d2a526b..45d03a2c1d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -95,7 +95,6 @@ CCE-83411-9
CCE-83421-8
CCE-83422-6
CCE-83423-4
-CCE-83424-2
CCE-83425-9
CCE-83426-7
CCE-83427-5
@@ -105,7 +104,6 @@ CCE-83430-9
CCE-83431-7
CCE-83432-5
CCE-83433-3
-CCE-83434-1
CCE-83435-8
CCE-83436-6
CCE-83437-4
@@ -115,7 +113,6 @@ CCE-83440-8
CCE-83441-6
CCE-83442-4
CCE-83443-2
-CCE-83444-0
CCE-83445-7
CCE-83446-5
CCE-83447-3

View File

@ -0,0 +1,103 @@
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 13:30:24 +0200
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
---
.../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
index e9a29a24d5..6fbb7c72a5 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
@@ -3,13 +3,9 @@
# strategy = restrict
# complexity = low
# disruption = low
-- name: Test for existence of /etc/securetty
- stat:
- path: /etc/securetty
- register: securetty_empty
+
- name: "Direct root Logins Not Allowed"
copy:
dest: /etc/securetty
content: ""
- when: securetty_empty.stat.size > 1
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:21:38 +0200
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
---
shared/templates/template_ANSIBLE_sebool | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
index 29f37081be..38d7c7c350 100644
--- a/shared/templates/template_ANSIBLE_sebool
+++ b/shared/templates/template_ANSIBLE_sebool
@@ -13,11 +13,17 @@
{{% else %}}
- (xccdf-var var_{{{ SEBOOLID }}})
+{{% if product == "rhel8" %}}
+- name: Ensure python3-libsemanage installed
+ package:
+ name: python3-libsemanage
+ state: present
+{{% else %}}
- name: Ensure libsemanage-python installed
package:
name: libsemanage-python
state: present
-
+{{% endif %}}
- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
seboolean:
name: {{{ SEBOOLID }}}
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2020 14:57:05 +0200
Subject: [PATCH 3/3] add tests for no_direct_root_logins
---
.../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
.../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
.../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
3 files changed, 9 insertions(+)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
new file mode 100644
index 0000000000..17251f6a98
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo > /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
new file mode 100644
index 0000000000..c764814b26
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /etc/securetty
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
new file mode 100644
index 0000000000..43ac341e87
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "something" > /etc/securetty

View File

@ -0,0 +1,308 @@
From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 26 May 2020 17:49:21 +0200
Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation.
Affected rules:
- selinux_policytype
- selinux_state
---
.../selinux/selinux_policytype/ansible/shared.yml | 9 ++-------
.../selinux/selinux_policytype/bash/shared.sh | 5 +++--
.../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++
.../selinux/selinux_state/ansible/shared.yml | 9 ++-------
.../system/selinux/selinux_state/bash/shared.sh | 5 +++--
.../selinux_state/tests/selinux_missing.fail.sh | 5 +++++
.../tests/selinux_permissive.fail.sh | 10 ++++++++++
shared/macros-ansible.jinja | 11 +++++++++++
shared/macros-bash.jinja | 15 +++++++++++++++
9 files changed, 61 insertions(+), 18 deletions(-)
create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 5c70cc9f7f..9f8cf66dfb 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -3,11 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_selinux_policy_name)
-- name: "{{{ rule_title }}}"
- lineinfile:
- path: /etc/sysconfig/selinux
- regexp: '^SELINUXTYPE='
- line: "SELINUXTYPE={{ var_selinux_policy_name }}"
- create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index d0fbbf4446..2b5ce31b12 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,7 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-#
+
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
+
populate var_selinux_policy_name
-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
new file mode 100644
index 0000000000..1a6eb94953
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
+else
+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
+fi
diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
index b465ac6729..1c1560a86c 100644
--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml
@@ -3,11 +3,6 @@
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_selinux_state)
-- name: "{{{ rule_title }}}"
- lineinfile:
- path: /etc/sysconfig/selinux
- regexp: '^SELINUX='
- line: "SELINUX={{ var_selinux_state }}"
- create: yes
+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}}
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index 58193b5504..a402a861d7 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,10 +1,11 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
-#
+
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
+
populate var_selinux_state
-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
fixfiles onboot
fixfiles -f relabel
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
new file mode 100644
index 0000000000..180dd80791
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE
diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
new file mode 100644
index 0000000000..3db1e56b5f
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
+
+SELINUX_FILE='/etc/selinux/config'
+
+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then
+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE
+else
+ echo 'SELINUX=permissive' >> $SELINUX_FILE
+fi
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 6798a25d1f..01d3155b37 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}"
{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
{{%- endmacro %}}
+{{#
+ High level macro to set a parameter in /etc/selinux/config.
+ Parameters:
+ - msg: the name for the Ansible task
+ - parameter: parameter to be set in the configuration file
+ - value: value of the parameter
+#}}
+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
+
{{#
Generates an Ansible task that puts 'contents' into a file at 'filepath'
Parameters:
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 3a94fe5dd8..2531d1c52d 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -86,6 +86,21 @@ populate {{{ name }}}
}}}
{{%- endmacro -%}}
+{{%- macro bash_selinux_config_set(parameter, value) -%}}
+{{{ set_config_file(
+ path="/etc/selinux/config",
+ parameter=parameter,
+ value=value,
+ create=true,
+ insert_after="",
+ insert_before="",
+ insensitive=true,
+ separator="=",
+ separator_regex="\s*=\s*",
+ prefix_regex="^\s*")
+ }}}
+{{%- endmacro -%}}
+
{{#
# Install a package
# Uses the right command based on pkg_manger proprerty defined in product.yaml.
From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 27 May 2020 18:48:57 +0200
Subject: [PATCH 2/2] Remediation requires reboot.
Update OVAL check to disallow spaces.
Removed selinuxtype_minimum test scenario since breaks the system.
---
.../selinux/selinux_policytype/ansible/shared.yml | 2 +-
.../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++
.../system/selinux/selinux_policytype/oval/shared.xml | 2 +-
.../tests/selinuxtype_minimum.fail.sh | 10 ----------
.../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++
.../guide/system/selinux/selinux_state/oval/shared.xml | 2 +-
shared/macros-ansible.jinja | 2 +-
shared/macros-bash.jinja | 4 ++--
8 files changed, 14 insertions(+), 16 deletions(-)
delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
index 9f8cf66dfb..73e6ec7cd4 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml
@@ -1,5 +1,5 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
+# reboot = true
# strategy = restrict
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
index 2b5ce31b12..b4f79c97f9 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
@@ -1,4 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
index f1840a1290..3d69fff07f 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
@@ -27,7 +27,7 @@
<ind:textfilecontent54_object id="obj_selinux_policy" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern>
+ <ind:pattern operation="pattern match">^SELINUXTYPE=(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
deleted file mode 100644
index 1a6eb94953..0000000000
--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp
-
-SELINUX_FILE='/etc/selinux/config'
-
-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then
- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE
-else
- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE
-fi
diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
index a402a861d7..645a7acab4 100644
--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
@@ -1,4 +1,8 @@
# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
index c0881696e1..8c328060af 100644
--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
@@ -18,7 +18,7 @@
<ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 01d3155b37..580a0b948e 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}"
- value: value of the parameter
#}}
{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}}
-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}}
{{%- endmacro %}}
{{#
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 2531d1c52d..8abcc914d3 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -96,8 +96,8 @@ populate {{{ name }}}
insert_before="",
insensitive=true,
separator="=",
- separator_regex="\s*=\s*",
- prefix_regex="^\s*")
+ separator_regex="=",
+ prefix_regex="^")
}}}
{{%- endmacro -%}}

View File

@ -0,0 +1,40 @@
From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 23:36:18 +0200
Subject: [PATCH] Ansible mount_option: split mount and option task
Separate task that adds mount options mounts the mountpoint into two tasks.
Conditioning the "mount" task on the absence of the target mount option
caused the task to always be skipped when mount option was alredy present,
and could result in the mount point not being mounted.
---
shared/templates/template_ANSIBLE_mount_option | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option
index 95bede25f9..a0cf8d6b7a 100644
--- a/shared/templates/template_ANSIBLE_mount_option
+++ b/shared/templates/template_ANSIBLE_mount_option
@@ -26,14 +26,19 @@
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}}
+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options
+ set_fact:
+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}"
+ when:
+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
+
+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option
mount:
path: "{{{ MOUNTPOINT }}}"
src: "{{ mount_info.source }}"
- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}"
+ opts: "{{ mount_info.options }}"
state: "mounted"
fstype: "{{ mount_info.fstype }}"
when:
- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options
- device_name.stdout is defined
- (device_name.stdout | length > 0)

View File

@ -0,0 +1,33 @@
From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 14 May 2020 16:46:07 +0200
Subject: [PATCH] reorder groups because of permissions verification
---
ssg/build_yaml.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index e3e138283c..c9f3179c08 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -700,6 +700,11 @@ def to_xml_element(self):
# audit_rules_privileged_commands, othervise the rule
# does not catch newly installed screeen binary during remediation
# and report fail
+ # the software group should come before the
+ # bootloader-grub2 group because of conflict between
+ # rules rpm_verify_permissions and file_permissions_grub2_cfg
+ # specific rules concerning permissions should
+ # be applied after the general rpm_verify_permissions
# The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
# the firewalld_activation must come before ruleset_modifications, othervise
# remediations for ruleset_modifications won't work
@@ -707,6 +712,7 @@ def to_xml_element(self):
# otherwise the remediation prints error although it is successful
priority_order = [
"accounts", "auditing",
+ "software", "bootloader-grub2",
"fips", "crypto",
"firewalld_activation", "ruleset_modifications",
"disabling_ipv6", "configuring_ipv6"

View File

@ -0,0 +1,171 @@
From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 May 2020 01:20:53 +0200
Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
All paths in /etc/rsyslog.conf were taken as log files, but paths
in lines containing "include" or "$IncludeConfig" are config files.
Let's not take them in as log files
---
.../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a78cd69df2..c74f3da3f5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -87,8 +87,18 @@
-->
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their permissions don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 14 May 2020 00:16:37 +0200
Subject: [PATCH 2/4] Fix permissions of files referenced by include()
The remediation script also needs to parse the files included via
"include()".
The awk also takes into consideration the multiline aspect.
---
.../rsyslog_files_permissions/bash/shared.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 6cbf0c6a24..dca35301e7 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 15:53:58 +0200
Subject: [PATCH 3/4] Make regex for include file more strict
For some reason gensub in awk doesn't support non capturing group.
So the group with OR is capturing and we substitute everyting with the
second group, witch matches the file path.
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index dca35301e7..99d2d0e794 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 15 May 2020 16:55:02 +0200
Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
These three files basically work the same way
---
.../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
.../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
.../rsyslog_files_permissions/oval/shared.xml | 4 ++--
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
index 5828f25321..9941e2b94f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
@@ -86,8 +86,18 @@
-->
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their groupownership don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
index 3c46eab6d6..29dd1a989e 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
@@ -83,8 +83,18 @@
-->
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_owner_ignore_include_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their owner don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
+ </ind:textfilecontent54_state>
+
<!-- Define OVAL variable to hold all the various system log files locations
retrieved from the different rsyslog configuration files
-->
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index c74f3da3f5..da37a15b8c 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -87,10 +87,10 @@
-->
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- <filter action="exclude">state_ignore_include_paths</filter>
+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
<!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
include() or $IncludeConfig statements.
These paths are conf files, not log files. Their permissions don't need to be as

File diff suppressed because it is too large Load Diff

View File

@ -1,15 +1,26 @@
Name: scap-security-guide
Version: 0.1.47
Release: 2%{?dist}
Version: 0.1.50
Release: 6%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.48-e8_kickstarts.patch
Patch2: scap-security-guide-0.1.48-e8_polish.patch
Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch
Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch
Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch
Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch
Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch
# Patch6 already contains typo fix
Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch
Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch
Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch
Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch
Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch
Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch
Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch
BuildArch: noarch
# To get python3 inside the buildroot require its path explicitly in BuildRequires
@ -46,6 +57,16 @@ present in %{name} package.
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
mkdir build
%build
@ -80,6 +101,65 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
- CIS Ansible fixes (RHBZ#1760734)
- HIPAA Ansible fixes (RHBZ#1832760)
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
- HIPAA Profile (RHBZ#1832760)
- Enable build of RHEL8 HIPAA Profile
- Add kickstarts for HIPAA
- CIS Profile (RHBZ#1760734)
- Add Ansible fix for sshd_set_max_sessions
- Add CIS Profile content attribution to Center for Internet Security
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Fix Ansible for no_direct_root_logins
- Fix Ansible template for SELinux booleans
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
- Update to the latest upstream release (RHBZ#1815007)
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
- Update to the latest upstream release (RHBZ#1815007)
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
- Update baseline package list of OSPP profile
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
- Rebuilt with correct spec file
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
- Add SRG references to STIG rules (RHBZ#1755447)
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
- Drop rsyslog rules from OSPP profile
- Update COBIT URI
- Add rules for strong source of RNG entropy
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
- STIG profile: added rsyslog rules and updated SRG mappings
- Split audit rules according to audit component (RHBZ#1791312)
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
- Update crypto-policy test scenarios
- Update max-path-len test to skip tests/logs directory
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
- Fix list of tables that are generated for RHEL8
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Improved the e8 profile (RHBZ#1755194)