diff --git a/.gitignore b/.gitignore index d3d33d0..573eb37 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.47.tar.bz2 +SOURCES/scap-security-guide-0.1.50.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 3f50c30..d7de47e 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -4459787cf5bceb48e0743b84057196206e999ca4 SOURCES/scap-security-guide-0.1.47.tar.bz2 +1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index ae3d0dd..428ede7 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -1,34 +1,36 @@ -From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 17 Dec 2018 13:30:06 +0100 -Subject: [PATCH] Disable profiles that are not in good shape for RHEL8. +From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 17 Jan 2020 19:01:22 +0100 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 They raise too many errors and fails. +Also disable tables for profiles that are not built. --- - rhel8/CMakeLists.txt | 3 ++- - rhel8/profiles/cjis.profile | 2 +- - rhel8/profiles/cui.profile | 2 +- - rhel8/profiles/hipaa.profile | 2 +- - rhel8/profiles/rht-ccp.profile | 2 +- - rhel8/profiles/standard.profile | 2 +- - 6 files changed, 7 insertions(+), 6 deletions(-) + rhel8/CMakeLists.txt | 2 -- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/cui.profile | 2 +- + rhel8/profiles/rhelh-stig.profile | 2 +- + rhel8/profiles/rhelh-vpp.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 9 files changed, 8 insertions(+), 10 deletions(-) diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt -index 99bccbed7..77f8ccaec 100644 +index 40f2b2b0f..492a8dae1 100644 --- a/rhel8/CMakeLists.txt +++ b/rhel8/CMakeLists.txt -@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") +@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "anssi") -ssg_build_html_nistrefs_table(${PRODUCT} "standard") -+# Standard profile is disabled for RHEL8 as it is not in good shape -+#ssg_build_html_nistrefs_table(${PRODUCT} "standard") ssg_build_html_nistrefs_table(${PRODUCT} "ospp") + ssg_build_html_nistrefs_table(${PRODUCT} "stig") # Uncomment when anssi profiles are marked documentation_complete: true + #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile -index a7f8c0b16..c460793be 100644 +index 05ea9cdd6..9c55ac5b1 100644 --- a/rhel8/profiles/cjis.profile +++ b/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ @@ -47,18 +49,28 @@ index eb62252a4..e8f369708 100644 title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' -diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index feb98007c..0667f65ed 100644 ---- a/rhel8/profiles/hipaa.profile -+++ b/rhel8/profiles/hipaa.profile +diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile +index 1efca5f44..c3d0b0964 100644 +--- a/rhel8/profiles/rhelh-stig.profile ++++ b/rhel8/profiles/rhelh-stig.profile @@ -1,4 +1,4 @@ --documentation_complete: True +-documentation_complete: true +documentation_complete: false - title: 'Health Insurance Portability and Accountability Act (HIPAA)' + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' + +diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile +index 2baee6d66..8592d7aaf 100644 +--- a/rhel8/profiles/rhelh-vpp.profile ++++ b/rhel8/profiles/rhelh-vpp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile -index 023663b21..8b22bc711 100644 +index c84579592..164ec98c4 100644 --- a/rhel8/profiles/rht-ccp.profile +++ b/rhel8/profiles/rht-ccp.profile @@ -1,4 +1,4 @@ @@ -78,5 +90,5 @@ index a63ae2cf3..da669bb84 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.19.2 +2.21.1 diff --git a/SOURCES/scap-security-guide-0.1.48-e8_polish.patch b/SOURCES/scap-security-guide-0.1.48-e8_polish.patch deleted file mode 100644 index 0097c4b..0000000 --- a/SOURCES/scap-security-guide-0.1.48-e8_polish.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 5f4e807cb6e54744ad69cd1e7d622c85ae4e8803 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 21 Nov 2019 16:28:23 +0100 -Subject: [PATCH 1/2] Updated the e8 profile for RHEL8. - -- removed obsolete SSHD settings. -- added rules for crypto policies. ---- - rhel8/profiles/e8.profile | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile -index 53b4c156e2..f0f19a4708 100644 ---- a/rhel8/profiles/e8.profile -+++ b/rhel8/profiles/e8.profile -@@ -123,14 +123,16 @@ selections: - - sshd_print_last_log - - sshd_use_priv_separation - - sshd_do_not_permit_user_env -- - sshd_disable_rhosts_rsa - - sshd_disable_rhosts -- - sshd_allow_only_protocol2 - - sshd_set_loglevel_info - - sshd_disable_empty_passwords - - sshd_disable_user_known_hosts - - sshd_enable_strictmodes - -+ - var_system_crypto_policy=default -+ - configure_crypto_policy -+ - configure_ssh_crypto_policy -+ - ### Application whitelisting - - package_fapolicyd_installed - - service_fapolicyd_enabled - -From 659326a1d4db99dc30c4807b5b5ce4c97db37709 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Mon, 25 Nov 2019 16:42:37 +0100 -Subject: [PATCH 2/2] Update the crypto policy and rationale. - ---- - rhel8/profiles/e8.profile | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile -index f0f19a4708..f78e908482 100644 ---- a/rhel8/profiles/e8.profile -+++ b/rhel8/profiles/e8.profile -@@ -129,7 +129,10 @@ selections: - - sshd_disable_user_known_hosts - - sshd_enable_strictmodes - -- - var_system_crypto_policy=default -+ # The E8 profile bans usage of SHA-1, and as of 11/2019 the FUTURE crypto policy is the only one that ensures this. -+ # TODO: Re-evaluate after another crypto policies become available. -+ # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography -+ - var_system_crypto_policy=future - - configure_crypto_policy - - configure_ssh_crypto_policy - diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch new file mode 100644 index 0000000..e859c54 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch @@ -0,0 +1,71 @@ +From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 08:17:20 +0200 +Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated + +--- + .../ansible/shared.yml | 33 +++++++++++++++++++ + 1 file changed, 33 insertions(+) + create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml + +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +new file mode 100644 +index 0000000000..5d76b3c073 +--- /dev/null ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +@@ -0,0 +1,33 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++- name: Configure daily log rotation in /etc/logrotate.conf ++ lineinfile: ++ create: yes ++ dest: "/etc/logrotate.conf" ++ regexp: "^daily$" ++ line: "daily" ++ ++- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf ++ lineinfile: ++ create: no ++ dest: "/etc/logrotate.conf" ++ regexp: "^(weekly|monthly|yearly)$" ++ state: absent ++ ++- name: Configure cron.daily if not already ++ block: ++ - name: Add shebang ++ lineinfile: ++ path: "/etc/cron.daily/logrotate" ++ line: "#!/bin/sh" ++ insertbefore: BOF ++ create: yes ++ - name: Add logrotate call ++ lineinfile: ++ path: "/etc/cron.daily/logrotate" ++ line: '/usr/sbin/logrotate /etc/logrotate.conf' ++ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$' + +From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 14:48:15 +0200 +Subject: [PATCH 2/2] Add test for ensure_logrotate_activated + +Test scenario when monthly is there, but weekly is not. +--- + .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh + +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh +new file mode 100644 +index 0000000000..b10362989b +--- /dev/null ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++sed -i "s/weekly/daily/g" /etc/logrotate.conf ++echo "monthly" >> /etc/logrotate.conf diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch new file mode 100644 index 0000000..a864ebf --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch @@ -0,0 +1,115 @@ +From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 May 2020 20:49:08 +0200 +Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions + +--- + .../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++ + .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++ + 2 files changed, 22 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..a816eea390 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +@@ -0,0 +1,11 @@ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++# platform = Red Hat Enterprise Linux 8 ++ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxSessions" $SSHD_CONFIG; then ++ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG ++ else ++ echo "MaxSessions 4" >> $SSHD_CONFIG ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..b36125f5bb +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +@@ -0,0 +1,11 @@ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++# platform = Red Hat Enterprise Linux 8 ++ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxSessions" $SSHD_CONFIG; then ++ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG ++ else ++ echo "MaxSessions 10" >> $SSHD_CONFIG ++fi + +From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 May 2020 20:53:50 +0200 +Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions + +--- + .../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++ + .../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++ + .../tests/correct_value.pass.sh | 2 +- + .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +- + 4 files changed, 22 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +new file mode 100644 +index 0000000000..a7e171dfe9 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++- (xccdf-var var_sshd_max_sessions) ++ ++{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +new file mode 100644 +index 0000000000..fc0a1d8b42 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +@@ -0,0 +1,12 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++populate var_sshd_max_sessions ++ ++{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +index a816eea390..4cc6d65988 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh +@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" + if grep -q "^MaxSessions" $SSHD_CONFIG; then + sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG + else +- echo "MaxSessions 4" >> $SSHD_CONFIG ++ echo "MaxSessions 4" >> $SSHD_CONFIG + fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +index b36125f5bb..bc0c47842a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh +@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" + if grep -q "^MaxSessions" $SSHD_CONFIG; then + sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG + else +- echo "MaxSessions 10" >> $SSHD_CONFIG ++ echo "MaxSessions 10" >> $SSHD_CONFIG + fi diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch new file mode 100644 index 0000000..ff529ca --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch @@ -0,0 +1,147 @@ +From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 11:52:35 +0200 +Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line + +Very likey a copy-pasta error from bash remediation for +audit_rules_immutable +--- + .../audit_rules_system_shutdown/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index 1c9748ce9b..b56513cdcd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -8,7 +8,7 @@ + # files to check if '-f .*' setting is present in that '*.rules' file already. + # If found, delete such occurrence since auditctl(8) manual page instructs the + # '-f 2' rule should be placed as the last rule in the configuration +-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' ++find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + + # Append '-f 2' requirement at the end of both: + # * /etc/audit/audit.rules file (for auditctl case) + +From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 12:12:21 +0200 +Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown + +Along with very basic test scenarios +--- + .../ansible/shared.yml | 28 +++++++++++++++++++ + .../tests/augen_correct.pass.sh | 4 +++ + .../tests/augen_e_2_immutable.fail.sh | 3 ++ + 3 files changed, 35 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml +new file mode 100644 +index 0000000000..b9e8fa87fa +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml +@@ -0,0 +1,28 @@ ++# platform = multi_platform_all ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Collect all files from /etc/audit/rules.d with .rules extension ++ find: ++ paths: "/etc/audit/rules.d/" ++ patterns: "*.rules" ++ register: find_rules_d ++ ++- name: Remove the -f option from all Audit config files ++ lineinfile: ++ path: "{{ item }}" ++ regexp: '^\s*(?:-f)\s+.*$' ++ state: absent ++ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" ++ ++- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++ lineinfile: ++ path: "{{ item }}" ++ create: True ++ line: "-f 2" ++ loop: ++ - "/etc/audit/audit.rules" ++ - "/etc/audit/rules.d/immutable.rules" ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh +new file mode 100644 +index 0000000000..0587b937e0 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules ++echo "-f 2" >> /etc/audit/rules.d/immutable.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh +new file mode 100644 +index 0000000000..fa5b7231df +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules + +From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 14:06:08 +0200 +Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name + +--- + .../audit_rules_immutable/ansible/shared.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +index 5ac7b3dabb..1cafb744cc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +@@ -17,7 +17,7 @@ + state: absent + loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" + +-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: + path: "{{ item }}" + create: True + +From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 11:02:56 +0200 +Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix + +--- + .../audit_rules_system_shutdown/bash/shared.sh | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index b56513cdcd..a349bb1ca1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -4,16 +4,8 @@ + # + # /etc/audit/audit.rules, (for auditctl case) + # /etc/audit/rules.d/*.rules (for augenrules case) +-# +-# files to check if '-f .*' setting is present in that '*.rules' file already. +-# If found, delete such occurrence since auditctl(8) manual page instructs the +-# '-f 2' rule should be placed as the last rule in the configuration + find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + +-# Append '-f 2' requirement at the end of both: +-# * /etc/audit/audit.rules file (for auditctl case) +-# * /etc/audit/rules.d/immutable.rules (for augenrules case) +- + for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" + do + echo '' >> $AUDIT_FILE diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch new file mode 100644 index 0000000..2b5acdc --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch @@ -0,0 +1,49 @@ +From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 21 May 2020 18:16:43 +0200 +Subject: [PATCH] Attribute content to CIS + +And update the description a bit. +--- + rhel7/profiles/cis.profile | 8 +++++--- + rhel8/profiles/cis.profile | 8 +++++--- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 0826a49547..829c388133 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -3,9 +3,11 @@ documentation_complete: true + title: 'CIS Red Hat Enterprise Linux 7 Benchmark' + + description: |- +- This baseline aligns to the Center for Internet Security +- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released +- 12-27-2017. ++ This profile defines a baseline that aligns to the Center for Internet Security® ++ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 7 CIS Benchmarks™ content. + + selections: + # Necessary for dconf rules +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index f332ee5462..868b9f21a6 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -3,9 +3,11 @@ documentation_complete: true + title: 'CIS Red Hat Enterprise Linux 8 Benchmark' + + description: |- +- This baseline aligns to the Center for Internet Security +- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released +- 09-30-2019. ++ This profile defines a baseline that aligns to the Center for Internet Security® ++ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + + selections: + # Necessary for dconf rules diff --git a/SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch similarity index 67% rename from SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch rename to SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch index 9d425f5..3c4f3b1 100644 --- a/SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch +++ b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch @@ -1,26 +1,24 @@ -From 3cf5caec6f0705d24bc3f285e19d1831714bca16 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 13 Nov 2019 18:05:32 +0100 -Subject: [PATCH 1/4] Add simple kickstart file for e8 profiles +From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 25 May 2020 12:17:48 +0200 +Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8 -As the profile doesn't require a particular disk partition layout, I -went for the 'autopart' feature. --- - rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 122 ++++++++++++++++++++++++++++ - rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 122 ++++++++++++++++++++++++++++ - 2 files changed, 244 insertions(+) - create mode 100644 rhel7/kickstart/ssg-rhel7-e8-ks.cfg - create mode 100644 rhel8/kickstart/ssg-rhel8-e8-ks.cfg + rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ + rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ + 2 files changed, 250 insertions(+) + create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg + create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg -diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg new file mode 100644 -index 0000000000..9e44a87a86 +index 0000000000..14c82c4231 --- /dev/null -+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -@@ -0,0 +1,122 @@ -+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 7 Server ++++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg +@@ -0,0 +1,125 @@ ++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server +# Version: 0.0.1 -+# Date: 2019-11-13 ++# Date: 2020-05-25 +# +# Based on: +# http://fedoraproject.org/wiki/Anaconda/Kickstart @@ -115,7 +113,7 @@ index 0000000000..9e44a87a86 + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware -+# ++# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture @@ -124,9 +122,12 @@ index 0000000000..9e44a87a86 +# Create primary system partitions (required for installs) +autopart + ++# Harden installation with HIPAA profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands +%addon org_fedora_oscap + content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_e8 ++ profile = xccdf_org.ssgproject.content_profile_hipaa +%end + +# Packages selection (%packages section is required) @@ -140,19 +141,19 @@ index 0000000000..9e44a87a86 +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject -diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg new file mode 100644 -index 0000000000..3555f528cb +index 0000000000..861db36f18 --- /dev/null -+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -@@ -0,0 +1,122 @@ -+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server ++++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg +@@ -0,0 +1,125 @@ ++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server +# Version: 0.0.1 -+# Date: 2019-11-13 ++# Date: 2020-05-25 +# +# Based on: +# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + +# Install a fresh new system (optional) +install @@ -220,143 +221,54 @@ index 0000000000..3555f528cb +firewall --enabled --ssh + +# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+autopart -+ -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_e8 -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject - -From 94249bce4b61c33e52f59efdb112e2082b4acf46 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Nov 2019 11:19:51 +0100 -Subject: [PATCH 2/4] Use authselect for el8 kickstart - -auth and authconfig are deprecated ---- - rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -index 3555f528cb..e814024e2e 100644 ---- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -@@ -72,10 +72,10 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf - firewall --enabled --ssh - - # Set up the authentication options for the system (required) --# --enableshadow enable shadowed passwords by default --# --passalgo hash / crypt algorithm for new passwords --# See the manual page for authconfig for a complete list of possible options. --authconfig --enableshadow --passalgo=sha512 +# sssd profile sets sha512 to hash passwords +# passwords are shadowed by default +# See the manual page for authselect-profile for a complete list of possible options. +authselect select sssd - - # State of SELinux on the installed system (optional) - # Defaults to enforcing - -From 1ff6ab4ec0449074c4608eed0194903123eda34b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Nov 2019 11:22:31 +0100 -Subject: [PATCH 3/4] Updated kickstart documenation link for el8 - ---- - rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -index e814024e2e..41d4b3d654 100644 ---- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -@@ -4,7 +4,7 @@ - # - # Based on: - # http://fedoraproject.org/wiki/Anaconda/Kickstart --# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart - - # Install a fresh new system (optional) - install - -From ef5edccc3ec58131644f31481ec3df20ab345229 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 18 Nov 2019 13:31:18 +0100 -Subject: [PATCH 4/4] Add link to oscap-anaconda-addon documentation - ---- - rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 3 +++ - rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 3 +++ - 2 files changed, 6 insertions(+) - -diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -index 9e44a87a86..23f1bad7e1 100644 ---- a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -@@ -104,6 +104,9 @@ clearpart --linux --initlabel - # Create primary system partitions (required for installs) - autopart - -+# Harden installation with Essential Eight profile -+# For more details and configuration options see command %addon org_fedora_oscap in -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands - %addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_e8 -diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -index 41d4b3d654..8380ea13a3 100644 ---- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -@@ -104,6 +104,9 @@ clearpart --linux --initlabel - # Create primary system partitions (required for installs) - autopart - -+# Harden installation with Essential Eight profile ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with HIPAA profile +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program - %addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_e8 ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_hipaa ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch new file mode 100644 index 0000000..e6dc9cb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch @@ -0,0 +1,76 @@ +From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 22 May 2020 14:12:18 +0200 +Subject: [PATCH] Add missing CCEs for RHEL8 + +--- + .../password_storage/no_netrc_files/rule.yml | 1 + + .../accounts_user_interactive_home_directory_exists/rule.yml | 1 + + .../file_groupownership_home_directories/rule.yml | 1 + + shared/references/cce-redhat-avail.txt | 3 --- + 4 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +index 8547893201..1bd1f5742e 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel6: 27225-2 + cce@rhel7: 80211-6 ++ cce@rhel8: 83444-0 + cce@ocp4: 82667-7 + + references: +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index bedf3a0b19..e69bc9d736 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel7: 80529-1 ++ cce@rhel8: 83424-2 + + references: + stigid@ol7: "020620" +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index 1c5ac8d099..f931f6d160 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -20,6 +20,7 @@ severity: medium + + identifiers: + cce@rhel7: 80532-5 ++ cce@rhel8: 83434-1 + + references: + stigid@ol7: "020650" +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 2f0d2a526b..45d03a2c1d 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -95,7 +95,6 @@ CCE-83411-9 + CCE-83421-8 + CCE-83422-6 + CCE-83423-4 +-CCE-83424-2 + CCE-83425-9 + CCE-83426-7 + CCE-83427-5 +@@ -105,7 +104,6 @@ CCE-83430-9 + CCE-83431-7 + CCE-83432-5 + CCE-83433-3 +-CCE-83434-1 + CCE-83435-8 + CCE-83436-6 + CCE-83437-4 +@@ -115,7 +113,6 @@ CCE-83440-8 + CCE-83441-6 + CCE-83442-4 + CCE-83443-2 +-CCE-83444-0 + CCE-83445-7 + CCE-83446-5 + CCE-83447-3 diff --git a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch new file mode 100644 index 0000000..b435b97 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch @@ -0,0 +1,103 @@ +From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 13:30:24 +0200 +Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins + +--- + .../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +index e9a29a24d5..6fbb7c72a5 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +@@ -3,13 +3,9 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- name: Test for existence of /etc/securetty +- stat: +- path: /etc/securetty +- register: securetty_empty ++ + + - name: "Direct root Logins Not Allowed" + copy: + dest: /etc/securetty + content: "" +- when: securetty_empty.stat.size > 1 + +From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 14:21:38 +0200 +Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8 + +--- + shared/templates/template_ANSIBLE_sebool | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool +index 29f37081be..38d7c7c350 100644 +--- a/shared/templates/template_ANSIBLE_sebool ++++ b/shared/templates/template_ANSIBLE_sebool +@@ -13,11 +13,17 @@ + {{% else %}} + - (xccdf-var var_{{{ SEBOOLID }}}) + ++{{% if product == "rhel8" %}} ++- name: Ensure python3-libsemanage installed ++ package: ++ name: python3-libsemanage ++ state: present ++{{% else %}} + - name: Ensure libsemanage-python installed + package: + name: libsemanage-python + state: present +- ++{{% endif %}} + - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly + seboolean: + name: {{{ SEBOOLID }}} + +From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 May 2020 14:57:05 +0200 +Subject: [PATCH 3/3] add tests for no_direct_root_logins + +--- + .../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++ + .../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++ + .../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++ + 3 files changed, 9 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh +new file mode 100644 +index 0000000000..17251f6a98 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo > /etc/securetty +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh +new file mode 100644 +index 0000000000..c764814b26 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++rm -f /etc/securetty +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh +new file mode 100644 +index 0000000000..43ac341e87 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "something" > /etc/securetty diff --git a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch new file mode 100644 index 0000000..5c6664f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch @@ -0,0 +1,308 @@ +From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 26 May 2020 17:49:21 +0200 +Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation. + +Affected rules: + - selinux_policytype + - selinux_state +--- + .../selinux/selinux_policytype/ansible/shared.yml | 9 ++------- + .../selinux/selinux_policytype/bash/shared.sh | 5 +++-- + .../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++ + .../selinux/selinux_state/ansible/shared.yml | 9 ++------- + .../system/selinux/selinux_state/bash/shared.sh | 5 +++-- + .../selinux_state/tests/selinux_missing.fail.sh | 5 +++++ + .../tests/selinux_permissive.fail.sh | 10 ++++++++++ + shared/macros-ansible.jinja | 11 +++++++++++ + shared/macros-bash.jinja | 15 +++++++++++++++ + 9 files changed, 61 insertions(+), 18 deletions(-) + create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +index 5c70cc9f7f..9f8cf66dfb 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +@@ -3,11 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low + - (xccdf-var var_selinux_policy_name) + +-- name: "{{{ rule_title }}}" +- lineinfile: +- path: /etc/sysconfig/selinux +- regexp: '^SELINUXTYPE=' +- line: "SELINUXTYPE={{ var_selinux_policy_name }}" +- create: yes ++{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}} +diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +index d0fbbf4446..2b5ce31b12 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +@@ -1,7 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +-# ++ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions ++ + populate var_selinux_policy_name + +-replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s' ++{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}} +diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +new file mode 100644 +index 0000000000..1a6eb94953 +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++ ++if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then ++ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE ++else ++ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE ++fi +diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml +index b465ac6729..1c1560a86c 100644 +--- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml +@@ -3,11 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low + - (xccdf-var var_selinux_state) + +-- name: "{{{ rule_title }}}" +- lineinfile: +- path: /etc/sysconfig/selinux +- regexp: '^SELINUX=' +- line: "SELINUX={{ var_selinux_state }}" +- create: yes ++{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}} +diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +index 58193b5504..a402a861d7 100644 +--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +@@ -1,10 +1,11 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv +-# ++ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions ++ + populate var_selinux_state + +-replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' ++{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}} + + fixfiles onboot + fixfiles -f relabel +diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh +new file mode 100644 +index 0000000000..180dd80791 +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE +diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh +new file mode 100644 +index 0000000000..3db1e56b5f +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp ++ ++SELINUX_FILE='/etc/selinux/config' ++ ++if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then ++ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE ++else ++ echo 'SELINUX=permissive' >> $SELINUX_FILE ++fi +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 6798a25d1f..01d3155b37 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}" + {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} + {{%- endmacro %}} + ++{{# ++ High level macro to set a parameter in /etc/selinux/config. ++ Parameters: ++ - msg: the name for the Ansible task ++ - parameter: parameter to be set in the configuration file ++ - value: value of the parameter ++#}} ++{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} ++{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} ++{{%- endmacro %}} ++ + {{# + Generates an Ansible task that puts 'contents' into a file at 'filepath' + Parameters: +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 3a94fe5dd8..2531d1c52d 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -86,6 +86,21 @@ populate {{{ name }}} + }}} + {{%- endmacro -%}} + ++{{%- macro bash_selinux_config_set(parameter, value) -%}} ++{{{ set_config_file( ++ path="/etc/selinux/config", ++ parameter=parameter, ++ value=value, ++ create=true, ++ insert_after="", ++ insert_before="", ++ insensitive=true, ++ separator="=", ++ separator_regex="\s*=\s*", ++ prefix_regex="^\s*") ++ }}} ++{{%- endmacro -%}} ++ + {{# + # Install a package + # Uses the right command based on pkg_manger proprerty defined in product.yaml. + +From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 27 May 2020 18:48:57 +0200 +Subject: [PATCH 2/2] Remediation requires reboot. + +Update OVAL check to disallow spaces. +Removed selinuxtype_minimum test scenario since breaks the system. +--- + .../selinux/selinux_policytype/ansible/shared.yml | 2 +- + .../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++ + .../system/selinux/selinux_policytype/oval/shared.xml | 2 +- + .../tests/selinuxtype_minimum.fail.sh | 10 ---------- + .../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++ + .../guide/system/selinux/selinux_state/oval/shared.xml | 2 +- + shared/macros-ansible.jinja | 2 +- + shared/macros-bash.jinja | 4 ++-- + 8 files changed, 14 insertions(+), 16 deletions(-) + delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +index 9f8cf66dfb..73e6ec7cd4 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml +@@ -1,5 +1,5 @@ + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +-# reboot = false ++# reboot = true + # strategy = restrict + # complexity = low + # disruption = low +diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +index 2b5ce31b12..b4f79c97f9 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +@@ -1,4 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml +index f1840a1290..3d69fff07f 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml ++++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml +@@ -27,7 +27,7 @@ + + + /etc/selinux/config +- ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) ++ ^SELINUXTYPE=(.*)$ + 1 + + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh +deleted file mode 100644 +index 1a6eb94953..0000000000 +--- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh ++++ /dev/null +@@ -1,10 +0,0 @@ +-#!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp +- +-SELINUX_FILE='/etc/selinux/config' +- +-if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then +- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE +-else +- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE +-fi +diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +index a402a861d7..645a7acab4 100644 +--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +@@ -1,4 +1,8 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml +index c0881696e1..8c328060af 100644 +--- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml ++++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml +@@ -18,7 +18,7 @@ + + + /etc/selinux/config +- ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ ++ ^SELINUX=(.*)$ + 1 + + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 01d3155b37..580a0b948e 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}" + - value: value of the parameter + #}} + {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} +-{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} ++{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}} + {{%- endmacro %}} + + {{# +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 2531d1c52d..8abcc914d3 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -96,8 +96,8 @@ populate {{{ name }}} + insert_before="", + insensitive=true, + separator="=", +- separator_regex="\s*=\s*", +- prefix_regex="^\s*") ++ separator_regex="=", ++ prefix_regex="^") + }}} + {{%- endmacro -%}} + diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch new file mode 100644 index 0000000..1e028b7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch @@ -0,0 +1,40 @@ +From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 23:36:18 +0200 +Subject: [PATCH] Ansible mount_option: split mount and option task + +Separate task that adds mount options mounts the mountpoint into two tasks. +Conditioning the "mount" task on the absence of the target mount option +caused the task to always be skipped when mount option was alredy present, +and could result in the mount point not being mounted. +--- + shared/templates/template_ANSIBLE_mount_option | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option +index 95bede25f9..a0cf8d6b7a 100644 +--- a/shared/templates/template_ANSIBLE_mount_option ++++ b/shared/templates/template_ANSIBLE_mount_option +@@ -26,14 +26,19 @@ + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + +-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} ++- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options ++ set_fact: ++ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}" ++ when: ++ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options ++ ++- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option + mount: + path: "{{{ MOUNTPOINT }}}" + src: "{{ mount_info.source }}" +- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" ++ opts: "{{ mount_info.options }}" + state: "mounted" + fstype: "{{ mount_info.fstype }}" + when: +- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options + - device_name.stdout is defined + - (device_name.stdout | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch new file mode 100644 index 0000000..47b9cdb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch @@ -0,0 +1,33 @@ +From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 14 May 2020 16:46:07 +0200 +Subject: [PATCH] reorder groups because of permissions verification + +--- + ssg/build_yaml.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index e3e138283c..c9f3179c08 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -700,6 +700,11 @@ def to_xml_element(self): + # audit_rules_privileged_commands, othervise the rule + # does not catch newly installed screeen binary during remediation + # and report fail ++ # the software group should come before the ++ # bootloader-grub2 group because of conflict between ++ # rules rpm_verify_permissions and file_permissions_grub2_cfg ++ # specific rules concerning permissions should ++ # be applied after the general rpm_verify_permissions + # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. + # the firewalld_activation must come before ruleset_modifications, othervise + # remediations for ruleset_modifications won't work +@@ -707,6 +712,7 @@ def to_xml_element(self): + # otherwise the remediation prints error although it is successful + priority_order = [ + "accounts", "auditing", ++ "software", "bootloader-grub2", + "fips", "crypto", + "firewalld_activation", "ruleset_modifications", + "disabling_ipv6", "configuring_ipv6" diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch b/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch new file mode 100644 index 0000000..34531f1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch @@ -0,0 +1,171 @@ +From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 14 May 2020 01:20:53 +0200 +Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig + +All paths in /etc/rsyslog.conf were taken as log files, but paths +in lines containing "include" or "$IncludeConfig" are config files. + +Let's not take them in as log files +--- + .../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +index a78cd69df2..c74f3da3f5 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +@@ -87,8 +87,18 @@ + --> + ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 ++ state_ignore_include_paths + + ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) ++ ++ + + +From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 14 May 2020 00:16:37 +0200 +Subject: [PATCH 2/4] Fix permissions of files referenced by include() + +The remediation script also needs to parse the files included via +"include()". +The awk also takes into consideration the multiline aspect. +--- + .../rsyslog_files_permissions/bash/shared.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index 6cbf0c6a24..dca35301e7 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" + # * And also the log file paths listed after rsyslog's $IncludeConfig directive + # (store the result into array for the case there's shell glob used as value of IncludeConfig) + readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) ++readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++ + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + + # Browse each file selected above as containing paths of log files + # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) +-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" ++for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}" + do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + +From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 15:53:58 +0200 +Subject: [PATCH 3/4] Make regex for include file more strict + +For some reason gensub in awk doesn't support non capturing group. +So the group with OR is capturing and we substitute everyting with the +second group, witch matches the file path. +--- + .../rsyslog_files_permissions/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +index dca35301e7..99d2d0e794 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" + # * And also the log file paths listed after rsyslog's $IncludeConfig directive + # (store the result into array for the case there's shell glob used as value of IncludeConfig) + readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) + + # Declare an array to hold the final list of different log file paths + declare -a LOG_FILE_PATHS + +From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 16:55:02 +0200 +Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership + +These three files basically work the same way +--- + .../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++ + .../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++ + .../rsyslog_files_permissions/oval/shared.xml | 4 ++-- + 3 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +index 5828f25321..9941e2b94f 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +@@ -86,8 +86,18 @@ + --> + ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 ++ state_groupownership_ignore_include_paths + + ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) ++ ++ + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml +index 3c46eab6d6..29dd1a989e 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml +@@ -83,8 +83,18 @@ + --> + ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 ++ state_owner_ignore_include_paths + + ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) ++ ++ + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +index c74f3da3f5..da37a15b8c 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +@@ -87,10 +87,10 @@ + --> + ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 +- state_ignore_include_paths ++ state_permissions_ignore_include_paths + + +- ++ +