rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to the 0.1.58 upstream version 

Resolves: rhbz#2014561
This commit is contained in:
Matej Tyc 2021-10-15 17:30:32 +02:00
parent 30760905b3
commit 8449267905
19 changed files with 132 additions and 10350 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -40,3 +40,4 @@
/scap-security-guide-0.1.54.tar.bz2
/scap-security-guide-0.1.56.tar.bz2
/scap-security-guide-0.1.57.tar.bz2
/scap-security-guide-0.1.58.tar.bz2

53
disable-not-in-good-shape-profiles.patch Normal file
View File

@ -0,0 +1,53 @@
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index d61689c97..5e444a101 100644
--- a/products/rhel8/CMakeLists.txt
+++ b/products/rhel8/CMakeLists.txt
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
-
ssg_build_html_cce_table(${PRODUCT})
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
diff --git a/products/rhel9/profiles/cjis.profile b/rhel9/profiles/cjis.profile
index 035d2705b..c6475f33e 100644
--- a/products/rhel9/profiles/cjis.profile
+++ b/products/rhel9/profiles/cjis.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
metadata:
version: 5.4
diff --git a/products/rhel9/profiles/rht-ccp.profile b/rhel9/profiles/rht-ccp.profile
index c84579592..164ec98c4 100644
--- a/products/rhel9/profiles/rht-ccp.profile
+++ b/products/rhel9/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: '[RHEL9 DRAFT] Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/products/rhel9/profiles/standard.profile b/rhel9/profiles/standard.profile
index a63ae2cf3..da669bb84 100644
--- a/products/rhel9/profiles/standard.profile
+++ b/products/rhel9/profiles/standard.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Standard System Security Profile for Red Hat Enterprise Linux 9'
--
2.26.2

702
scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch
View File

@ -1,702 +0,0 @@
From 7901659fa169db8ac5ffd7c610a798c785a3556b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 9 Jul 2021 14:41:03 +0200
Subject: [PATCH 01/12] ensure that higher policy levels can override variables
of lower levels
---
ssg/controls.py | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 297d80e46c5..165cdf0511a 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -202,9 +202,16 @@ def get_all_controls_of_level(self, policy_id, level_id):
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
- for c in all_policy_controls:
- if len(level_ids.intersection(c.levels)) > 0:
- eligible_controls.append(c)
+ defined_variables = []
+ # we will go level by level, from top to bottom
+ # this is done to enable overriding of variables by higher levels
+ for lv in level_ids:
+ for c in all_policy_controls:
+ if lv in c.levels:
+ # if the control has a variable, check if it is not already defined
+ if c.variables.keys().isdisjoint(defined_variables):
+ eligible_controls.append(c)
+ defined_variables += [*c.variables.keys()]
return eligible_controls
def get_all_controls(self, policy_id):
From 66e612a9668009cc553fcf1abbf2c9477155c0c2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 5 Aug 2021 14:02:25 +0200
Subject: [PATCH 02/12] use ordered sets emulated by ordereddict
because of compatibility with python2
---
ssg/controls.py | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 165cdf0511a..611a647e125 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -2,6 +2,7 @@
import logging
import os
from glob import glob
+from collections import OrderedDict
import ssg.build_yaml
import ssg.yaml
@@ -152,16 +153,18 @@ def get_level(self, level_id):
raise ValueError(msg)
def get_level_with_ancestors(self, level_id):
- levels = set()
+ # use OrderedDict for Python2 compatibility instead of ordered set
+ levels = OrderedDict()
level = self.get_level(level_id)
- levels.add(level)
+ levels[level] = ""
if level.inherits_from:
for lv in level.inherits_from:
- levels.update(self.get_level_with_ancestors(lv))
+ eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
+ for l in eligible_levels:
+ levels[l] = ""
return levels
-
class ControlsManager():
def __init__(self, controls_dir, env_yaml=None):
self.controls_dir = os.path.abspath(controls_dir)
@@ -198,20 +201,24 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
- level_ids = set([lv.id for lv in levels])
+ # we use OrderedDict here with empty values instead of ordered set
+ # cause we want to be compatible with python 2
+ level_ids = OrderedDict()
+ for lv in levels.keys():
+ level_ids[lv.id] = ""
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
defined_variables = []
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
- for lv in level_ids:
+ for lv in level_ids.keys():
for c in all_policy_controls:
if lv in c.levels:
# if the control has a variable, check if it is not already defined
if c.variables.keys().isdisjoint(defined_variables):
eligible_controls.append(c)
- defined_variables += [*c.variables.keys()]
+ defined_variables += list(c.variables.keys())
return eligible_controls
def get_all_controls(self, policy_id):
From 95a23a31293a0a63361ddf1831866cd5ae1ab61e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 5 Aug 2021 16:30:10 +0200
Subject: [PATCH 03/12] rework handling of variables when returning all
controls of a level
currently only the top most level variables are kept in the controls
if there is a control with lower level which has the same variable defined, it is deep copied and the variable definition is removed only from the resulting control
the original control stays in tact
---
ssg/controls.py | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 611a647e125..4ebb8bda3d7 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -1,8 +1,8 @@
import collections
import logging
import os
+import copy
from glob import glob
-from collections import OrderedDict
import ssg.build_yaml
import ssg.yaml
@@ -154,7 +154,7 @@ def get_level(self, level_id):
def get_level_with_ancestors(self, level_id):
# use OrderedDict for Python2 compatibility instead of ordered set
- levels = OrderedDict()
+ levels = collections.OrderedDict()
level = self.get_level(level_id)
levels[level] = ""
if level.inherits_from:
@@ -201,24 +201,39 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
+ print ("getting levels of " + level_id)
+ print ([ l.id for l in levels.keys()])
# we use OrderedDict here with empty values instead of ordered set
# cause we want to be compatible with python 2
- level_ids = OrderedDict()
+ level_ids = collections.OrderedDict()
for lv in levels.keys():
level_ids[lv.id] = ""
-
+ print (level_ids.keys())
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
defined_variables = []
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
for lv in level_ids.keys():
+ print ("going through level " +lv)
for c in all_policy_controls:
+ print (c.levels)
if lv in c.levels:
# if the control has a variable, check if it is not already defined
- if c.variables.keys().isdisjoint(defined_variables):
+ variables = list(c.variables.keys())
+ if len(variables) == 0:
eligible_controls.append(c)
- defined_variables += list(c.variables.keys())
+ for var in variables:
+ if var in defined_variables:
+ # if it is, create new instance of the control and remove the variable
+ # we are going from the top level to the bottom
+ # so we don't want to overwrite variables
+ new_c = copy.deepcopy(c)
+ del new_c.variables[var]
+ eligible_controls.append(new_c)
+ else:
+ defined_variables.append(var)
+ eligible_controls.append(c)
return eligible_controls
def get_all_controls(self, policy_id):
From a2dd7e9386c757a523b57646bdc5a9ffa99f68c5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 5 Aug 2021 16:31:25 +0200
Subject: [PATCH 04/12] add tests for defining of variables
---
tests/unit/ssg-module/data/controls_dir/abcd-levels.yml | 6 ++++++
tests/unit/ssg-module/test_controls.py | 5 +++++
2 files changed, 11 insertions(+)
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
index aded77c12a6..b98a7cd4e19 100644
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
@@ -19,10 +19,14 @@ controls:
- id: S2
levels:
- low
+ rules:
+ - var_password_pam_minlen=1
- id: S3
levels:
- medium
+ rules:
+ - var_password_pam_minlen=2
- id: S4
title: Configure authentication
@@ -36,3 +40,5 @@ controls:
title: Enforce password quality standards
levels:
- high
+ rules:
+ - var_password_pam_minlen=3
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
index ff9b04f26c9..06fcb0c375d 100644
--- a/tests/unit/ssg-module/test_controls.py
+++ b/tests/unit/ssg-module/test_controls.py
@@ -87,6 +87,11 @@ def test_controls_levels():
assert len(low_controls) == 4
assert len(medium_controls) == 5
+ # test overriding of variables in levels
+ assert c_2.variables["var_password_pam_minlen"] == "1"
+ assert c_3.variables["var_password_pam_minlen"] == "2"
+ assert c_4b.variables["var_password_pam_minlen"] == "3"
+
def test_controls_load_product():
ssg_root = \
From 82b90a9720dadab7d6060f0ccbcd902b1c097904 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 6 Aug 2021 09:30:47 +0200
Subject: [PATCH 05/12] make overriding of variables optional
---
ssg/controls.py | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 4ebb8bda3d7..90639fbe4c7 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -198,42 +198,42 @@ def _get_policy(self, policy_id):
raise ValueError(msg)
return policy
- def get_all_controls_of_level(self, policy_id, level_id):
+ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
+ # if override_vars is enabled, then variables from higher levels will
+ # override variables efined in controls of lower levels
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
- print ("getting levels of " + level_id)
- print ([ l.id for l in levels.keys()])
# we use OrderedDict here with empty values instead of ordered set
# cause we want to be compatible with python 2
level_ids = collections.OrderedDict()
for lv in levels.keys():
level_ids[lv.id] = ""
- print (level_ids.keys())
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
defined_variables = []
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
for lv in level_ids.keys():
- print ("going through level " +lv)
for c in all_policy_controls:
- print (c.levels)
if lv in c.levels:
- # if the control has a variable, check if it is not already defined
- variables = list(c.variables.keys())
- if len(variables) == 0:
+ if override_vars == False:
eligible_controls.append(c)
- for var in variables:
- if var in defined_variables:
- # if it is, create new instance of the control and remove the variable
- # we are going from the top level to the bottom
- # so we don't want to overwrite variables
- new_c = copy.deepcopy(c)
- del new_c.variables[var]
- eligible_controls.append(new_c)
- else:
- defined_variables.append(var)
+ else:
+ # if the control has a variable, check if it is not already defined
+ variables = list(c.variables.keys())
+ if len(variables) == 0:
eligible_controls.append(c)
+ for var in variables:
+ if var in defined_variables:
+ # if it is, create new instance of the control and remove the variable
+ # we are going from the top level to the bottom
+ # so we don't want to overwrite variables
+ new_c = copy.deepcopy(c)
+ del new_c.variables[var]
+ eligible_controls.append(new_c)
+ else:
+ defined_variables.append(var)
+ eligible_controls.append(c)
return eligible_controls
def get_all_controls(self, policy_id):
From 47df80d086e96deb4eab88d5f813bffb380006a8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 11 Aug 2021 12:38:42 +0200
Subject: [PATCH 06/12] fix a typo
---
ssg/controls.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 90639fbe4c7..10a304bf8c2 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -200,7 +200,7 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
# if override_vars is enabled, then variables from higher levels will
- # override variables efined in controls of lower levels
+ # override variables defined in controls of lower levels
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
# we use OrderedDict here with empty values instead of ordered set
From 8e59037ed07aad33a55e8297ee5bce0f51c0dee6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 11 Aug 2021 17:02:11 +0200
Subject: [PATCH 07/12] update tests to check that overriding of variables
works
---
.../ssg-module/data/controls_dir/abcd-levels.yml | 4 +---
tests/unit/ssg-module/test_controls.py | 16 ++++++++++++++--
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
index b98a7cd4e19..99efafd832e 100644
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
@@ -25,8 +25,6 @@ controls:
- id: S3
levels:
- medium
- rules:
- - var_password_pam_minlen=2
- id: S4
title: Configure authentication
@@ -41,4 +39,4 @@ controls:
levels:
- high
rules:
- - var_password_pam_minlen=3
+ - var_password_pam_minlen=2
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
index 06fcb0c375d..124b344d141 100644
--- a/tests/unit/ssg-module/test_controls.py
+++ b/tests/unit/ssg-module/test_controls.py
@@ -89,8 +89,20 @@ def test_controls_levels():
# test overriding of variables in levels
assert c_2.variables["var_password_pam_minlen"] == "1"
- assert c_3.variables["var_password_pam_minlen"] == "2"
- assert c_4b.variables["var_password_pam_minlen"] == "3"
+ assert "var_password_pam_minlen" not in c_3.variables.keys()
+ assert c_4b.variables["var_password_pam_minlen"] == "2"
+
+ for c in low_controls:
+ if "var_password_pam_minlen" in c.variables.keys():
+ assert c.variables["var_password_pam_minlen"] == "1"
+
+ for c in medium_controls:
+ if "var_password_pam_minlen" in c.variables.keys():
+ assert c.variables["var_password_pam_minlen"] == "1"
+
+ for c in high_controls:
+ if "var_password_pam_minlen" in c.variables.keys():
+ assert c.variables["var_password_pam_minlen"] == "2"
def test_controls_load_product():
From dae4fc52a627eac6595bb73e3ffb1a0c50e78fdd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 11 Aug 2021 17:02:32 +0200
Subject: [PATCH 08/12] make overriding of variables hardcoded when requesting
controls of a certain level
---
ssg/controls.py | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 10a304bf8c2..7923f0cb379 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -198,9 +198,7 @@ def _get_policy(self, policy_id):
raise ValueError(msg)
return policy
- def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
- # if override_vars is enabled, then variables from higher levels will
- # override variables defined in controls of lower levels
+ def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
# we use OrderedDict here with empty values instead of ordered set
@@ -216,24 +214,22 @@ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True):
for lv in level_ids.keys():
for c in all_policy_controls:
if lv in c.levels:
- if override_vars == False:
+ # if the control has a variable, check if it is not already defined
+ variables = list(c.variables.keys())
+ if len(variables) == 0:
eligible_controls.append(c)
- else:
- # if the control has a variable, check if it is not already defined
- variables = list(c.variables.keys())
- if len(variables) == 0:
+ continue
+ for var in variables:
+ if var in defined_variables:
+ # if it is, create new instance of the control and remove the variable
+ # we are going from the top level to the bottom
+ # so we don't want to overwrite variables
+ new_c = copy.deepcopy(c)
+ del new_c.variables[var]
+ eligible_controls.append(new_c)
+ else:
+ defined_variables.append(var)
eligible_controls.append(c)
- for var in variables:
- if var in defined_variables:
- # if it is, create new instance of the control and remove the variable
- # we are going from the top level to the bottom
- # so we don't want to overwrite variables
- new_c = copy.deepcopy(c)
- del new_c.variables[var]
- eligible_controls.append(new_c)
- else:
- defined_variables.append(var)
- eligible_controls.append(c)
return eligible_controls
def get_all_controls(self, policy_id):
From c051e11c70b7e23ce3d4a8e0670da4fae72833c6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 15:30:39 +0200
Subject: [PATCH 09/12] get rid of one ordereddict
---
ssg/controls.py | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 7923f0cb379..891b13c891c 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -201,19 +201,14 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
levels = policy.get_level_with_ancestors(level_id)
- # we use OrderedDict here with empty values instead of ordered set
- # cause we want to be compatible with python 2
- level_ids = collections.OrderedDict()
- for lv in levels.keys():
- level_ids[lv.id] = ""
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
defined_variables = []
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
- for lv in level_ids.keys():
+ for lv in levels.keys():
for c in all_policy_controls:
- if lv in c.levels:
+ if lv.id in c.levels:
# if the control has a variable, check if it is not already defined
variables = list(c.variables.keys())
if len(variables) == 0:
From 4dd5cb1326932cf020785a8c2472998eb2e7775e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 16:44:57 +0200
Subject: [PATCH 10/12] fix overriding of variables
when there were multiple variables overridden, it caused problems by creating multiple copies of controls
---
ssg/controls.py | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 891b13c891c..8b69676313c 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -214,17 +214,19 @@ def get_all_controls_of_level(self, policy_id, level_id):
if len(variables) == 0:
eligible_controls.append(c)
continue
+ variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
for var in variables:
if var in defined_variables:
- # if it is, create new instance of the control and remove the variable
- # we are going from the top level to the bottom
- # so we don't want to overwrite variables
- new_c = copy.deepcopy(c)
- del new_c.variables[var]
- eligible_controls.append(new_c)
+ variables_to_remove.append(var)
else:
defined_variables.append(var)
- eligible_controls.append(c)
+ if len(variables_to_remove) == 0:
+ eligible_controls.append(c)
+ else:
+ new_c = copy.deepcopy(c)
+ for var in variables_to_remove:
+ del new_c.variables[var]
+ eligible_controls.append(new_c)
return eligible_controls
def get_all_controls(self, policy_id):
From fbebba524cab090bc4c2f92b75257a7cc881ef5e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 16:45:38 +0200
Subject: [PATCH 11/12] extended tests to test for multiple overridden
variables
---
.../data/controls_dir/abcd-levels.yml | 2 ++
tests/unit/ssg-module/test_controls.py | 19 +++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
index 99efafd832e..2e60ec43532 100644
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
@@ -21,6 +21,7 @@ controls:
- low
rules:
- var_password_pam_minlen=1
+ - var_some_variable=1
- id: S3
levels:
@@ -40,3 +41,4 @@ controls:
- high
rules:
- var_password_pam_minlen=2
+ - var_some_variable=3
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
index 124b344d141..1465661b04a 100644
--- a/tests/unit/ssg-module/test_controls.py
+++ b/tests/unit/ssg-module/test_controls.py
@@ -104,6 +104,25 @@ def test_controls_levels():
if "var_password_pam_minlen" in c.variables.keys():
assert c.variables["var_password_pam_minlen"] == "2"
+ # now test if controls of lower level has the variable definition correctly removed
+ # because it is overriden by higher level controls
+ s2_high = [c for c in high_controls if c.id == "S2"]
+ assert len(s2_high) == 1
+ assert "var_some_variable" not in s2_high[0].variables.keys()
+ assert "var_password_pam_minlen" not in s2_high[0].variables.keys()
+ s4b_high = [c for c in high_controls if c.id == "S4.b"]
+ assert len(s4b_high) == 1
+ assert s4b_high[0].variables["var_some_variable"] == "3"
+ assert s4b_high[0].variables["var_password_pam_minlen"] == "2"
+
+ # check that in low level the variable is correctly placed there in S2
+ s2_low = [c for c in low_controls if c.id == "S2"]
+ assert len(s2_low) == 1
+ assert s2_low[0].variables["var_some_variable"] == "1"
+ assert s2_low[0].variables["var_password_pam_minlen"] == "1"
+
+
+
def test_controls_load_product():
ssg_root = \
From 369de6b8374084d9d607979b712285912dbb65aa Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 16 Aug 2021 10:39:22 +0200
Subject: [PATCH 12/12] Style improvements
- Renamed get_level_with_ancestors to get_level_with_ancestors_sequence,
and made it return a list - a dictionary result is quite confusing.
- Removed some optimization in the variable deletion loops.
- Extracted functionality to a _get_control_without_variables static
method.
- Defined variable removal steps using set operations.
---
ssg/controls.py | 54 +++++++++++++++++++++++++------------------------
1 file changed, 28 insertions(+), 26 deletions(-)
diff --git a/ssg/controls.py b/ssg/controls.py
index 8b69676313c..ca3187d5b16 100644
--- a/ssg/controls.py
+++ b/ssg/controls.py
@@ -152,17 +152,17 @@ def get_level(self, level_id):
)
raise ValueError(msg)
- def get_level_with_ancestors(self, level_id):
+ def get_level_with_ancestors_sequence(self, level_id):
# use OrderedDict for Python2 compatibility instead of ordered set
levels = collections.OrderedDict()
level = self.get_level(level_id)
levels[level] = ""
if level.inherits_from:
for lv in level.inherits_from:
- eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()]
+ eligible_levels = [l for l in self.get_level_with_ancestors_sequence(lv) if l not in levels.keys()]
for l in eligible_levels:
levels[l] = ""
- return levels
+ return list(levels.keys())
class ControlsManager():
@@ -200,35 +200,37 @@ def _get_policy(self, policy_id):
def get_all_controls_of_level(self, policy_id, level_id):
policy = self._get_policy(policy_id)
- levels = policy.get_level_with_ancestors(level_id)
+ levels = policy.get_level_with_ancestors_sequence(level_id)
all_policy_controls = self.get_all_controls(policy_id)
eligible_controls = []
- defined_variables = []
+ already_defined_variables = set()
# we will go level by level, from top to bottom
# this is done to enable overriding of variables by higher levels
- for lv in levels.keys():
- for c in all_policy_controls:
- if lv.id in c.levels:
- # if the control has a variable, check if it is not already defined
- variables = list(c.variables.keys())
- if len(variables) == 0:
- eligible_controls.append(c)
- continue
- variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control
- for var in variables:
- if var in defined_variables:
- variables_to_remove.append(var)
- else:
- defined_variables.append(var)
- if len(variables_to_remove) == 0:
- eligible_controls.append(c)
- else:
- new_c = copy.deepcopy(c)
- for var in variables_to_remove:
- del new_c.variables[var]
- eligible_controls.append(new_c)
+ for lv in levels:
+ for control in all_policy_controls:
+ if lv.id not in control.levels:
+ continue
+
+ variables = set(control.variables.keys())
+
+ variables_to_remove = variables.intersection(already_defined_variables)
+ already_defined_variables.update(variables)
+
+ new_c = self._get_control_without_variables(variables_to_remove, control)
+ eligible_controls.append(new_c)
+
return eligible_controls
+ @staticmethod
+ def _get_control_without_variables(variables_to_remove, control):
+ if not variables_to_remove:
+ return control
+
+ new_c = copy.deepcopy(control)
+ for var in variables_to_remove:
+ del new_c.variables[var]
+ return new_c
+
def get_all_controls(self, policy_id):
policy = self._get_policy(policy_id)
return policy.controls_by_id.values()

5333
scap-security-guide-0.1.58-cis_def-PR_6976.patch
View File

File diff suppressed because it is too large Load Diff

31
scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch
View File

@ -1,31 +0,0 @@
From 8466dfa2e6f0f83e848f81f3fb57ee9d97c9e358 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 16 Aug 2021 15:26:00 +0200
Subject: [PATCH] Remove a spurious whitespace trim
The first line of the if- block ended up in the metadata comment.
---
.../disable_ctrlaltdel_reboot/bash/shared.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
index 4cbf5c8465..610da67668 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
@@ -1,8 +1,8 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
-{{%- if init_system == "systemd" -%}}
+{{% if init_system == "systemd" -%}}
systemctl disable --now ctrl-alt-del.target
systemctl mask --now ctrl-alt-del.target
-{{%- else -%}}
+{{%- else %}}
# If system does not contain control-alt-delete.override,
if [ ! -f /etc/init/control-alt-delete.override ]; then
# but does have control-alt-delete.conf file,
@@ -12,4 +12,4 @@ if [ ! -f /etc/init/control-alt-delete.override ]; then
fi
fi
sed -i 's,^exec.*$,exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored",' /etc/init/control-alt-delete.override
-{{%- endif -%}}
+{{%- endif %}}

160
scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch
View File

@ -1,160 +0,0 @@
From ac416fb6b73135b6fdeae850740ca4e10ad9fa1e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 18 Aug 2021 15:16:59 +0200
Subject: [PATCH] Fix RHEL7 documentation links.
---
linux_os/guide/services/ldap/openldap_client/group.yml | 2 +-
linux_os/guide/services/ldap/openldap_server/group.yml | 2 +-
.../ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml | 2 +-
.../ntp/chronyd_or_ntpd_specify_remote_server/rule.yml | 2 +-
linux_os/guide/services/ntp/group.yml | 2 +-
.../services/ntp/service_chronyd_or_ntpd_enabled/rule.yml | 2 +-
linux_os/guide/services/sssd/group.yml | 2 +-
.../screen_locking/smart_card_login/smartcard_auth/rule.yml | 4 +---
linux_os/guide/system/auditing/group.yml | 2 +-
.../software/disk_partitioning/encrypt_partitions/rule.yml | 2 +-
.../guide/system/software/gnome/gnome_login_screen/group.yml | 2 +-
11 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/linux_os/guide/services/ldap/openldap_client/group.yml b/linux_os/guide/services/ldap/openldap_client/group.yml
index bf17a053cd5..a64f105395f 100644
--- a/linux_os/guide/services/ldap/openldap_client/group.yml
+++ b/linux_os/guide/services/ldap/openldap_client/group.yml
@@ -13,7 +13,7 @@ description: |-
files, which is useful when trying to use SSL cleanly across several protocols.
Installation and configuration of OpenLDAP on {{{ full_name }}} is available at
{{% if product == "rhel7" %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}.
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}.
{{% elif product == "ol7" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s9-auth") }}}.
{{% endif %}}
diff --git a/linux_os/guide/services/ldap/openldap_server/group.yml b/linux_os/guide/services/ldap/openldap_server/group.yml
index c180820e9fc..d571867a7f8 100644
--- a/linux_os/guide/services/ldap/openldap_server/group.yml
+++ b/linux_os/guide/services/ldap/openldap_server/group.yml
@@ -7,5 +7,5 @@ description: |-
for an OpenLDAP server.
{{% if product == "rhel7" %}}
Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at:
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}.
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}.
{{% endif %}}
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
index 8f939356ab1..7dc188589ee 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
@@ -14,7 +14,7 @@ description: |-
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
{{% else %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
{{% endif %}}
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
index 503aecc0de2..27df8595efa 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
@@ -14,7 +14,7 @@ description: |-
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
{{% else %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
{{% endif %}}
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml
index 181b10dfd65..b944ee03116 100644
--- a/linux_os/guide/services/ntp/group.yml
+++ b/linux_os/guide/services/ntp/group.yml
@@ -54,7 +54,7 @@ description: |-
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
{{% elif product == "rhel7" %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
{{% elif "ubuntu" in product %}}
{{{ weblink(link="https://help.ubuntu.com/lts/serverguide/NTP.html") }}}
{{% elif "debian" in product %}}
diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
index 065cf301b95..00739816f5e 100644
--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
@@ -17,7 +17,7 @@ description: |-
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}}
{{% else %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
{{% endif %}}
for guidance which NTP daemon to choose depending on the environment used.
diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml
index 5b0caf7d64b..3f4eced7ca7 100644
--- a/linux_os/guide/services/sssd/group.yml
+++ b/linux_os/guide/services/sssd/group.yml
@@ -11,7 +11,7 @@ description: |-
<br /><br />
For more information, see
{{%- if product == "rhel7" -%}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html") }}}
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd") }}}
{{%- elif product == "rhel8" -%}}
{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-client-basic-scenario_installing-identity-management#sssd-deployment-operations_install-client-basic") }}}
{{%- elif product == "ol7" -%}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
index fc7f149bf40..62a343cf396 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml
@@ -8,9 +8,7 @@ description: |-
To enable smart card authentication, consult the documentation at:
<ul>
{{% if product == "rhel7" %}}
- <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}</b></li>
- {{% elif product == "rhel8" %}}
- <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}</b></li>
+ <li><b>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards.html#authconfig-smartcards") }}}</b></li>
{{% elif product == "ol7" %}}
<li><b>{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s4-auth") }}}</b></li>
{{% endif %}}
diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml
index 82f87e81c47..5fce88db032 100644
--- a/linux_os/guide/system/auditing/group.yml
+++ b/linux_os/guide/system/auditing/group.yml
@@ -38,7 +38,7 @@ description: |-
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.
The following example from Fedora Documentation available at
- <tt>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}}</tt>
+ <tt>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}}</tt>
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index add0a41fa94..cd07fb4c0ca 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -38,7 +38,7 @@ description: |-
{{% elif product in ["sle12", "sle15"] %}}
{{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
{{% elif product == "rhel7" %}}
- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption") }}}.
{{% else %}}
{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}.
{{% endif %}}
diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
index 8e8b32f1d79..299b96c0592 100644
--- a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml
@@ -14,5 +14,5 @@ description: |-
the man page <tt>dconf(1)</tt>.
{{% else %}}
For more information about enforcing preferences in the GNOME3 environment using the DConf
- configuration system, see <b>{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html") }}}/></b> and the man page <tt>dconf(1)</tt>.
+ configuration system, see <b>{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide") }}}/></b> and the man page <tt>dconf(1)</tt>.
{{% endif %}}

28
scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
View File

@ -1,28 +0,0 @@
From 041c151df78653f807249cb7cc6cfc3f46a7b168 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 3 Aug 2021 16:50:23 +0200
Subject: [PATCH] add details about gpgkey package for rhel9
---
products/rhel9/product.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 78c65fd805..4ceb332adf 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -13,10 +13,10 @@ init_system: "systemd"
dconf_gdm_dir: "distro.d"
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
-pkg_release: ""
-pkg_version: ""
-aux_pkg_release: ""
-aux_pkg_version: ""
+pkg_release: "4ae0493b"
+pkg_version: "fd431d51"
+aux_pkg_release: "5b32db75"
+aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"

55
scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
View File

@ -1,55 +0,0 @@
From 460922d3b258ba5b437afc99b5b02d2690788db9 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@canonical.com>
Date: Tue, 27 Jul 2021 15:20:08 -0400
Subject: [PATCH] Remove FragmentPath check from service_disabled
In https://github.com/systemd/systemd/issues/582 it is documented that
systemd could eventually replace FragmentPath=/dev/null (on masked
services) with the actual service path -- not the fully (symlink)
resolved path as is currently the case.
This matches the behavior currently seen in Ubuntu (all versions) and
RHEL 9/Fedora 34.
Per discussion with Gabriel, Matej, Richard, and Matt, it is best to
remove this check, especially since ActiveState=Masked suffices.
Resolves: #7280
Resolves: #7248
Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
---
shared/templates/service_disabled/oval.template | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/shared/templates/service_disabled/oval.template b/shared/templates/service_disabled/oval.template
index 33b52518307..e4ccb0566e7 100644
--- a/shared/templates/service_disabled/oval.template
+++ b/shared/templates/service_disabled/oval.template
@@ -13,7 +13,6 @@
<criteria operator="AND" comment="service {{{ SERVICENAME }}} is not configured to start">
<criterion comment="{{{ SERVICENAME }}} is not running" test_ref="test_service_not_running_{{{ SERVICENAME }}}" />
<criterion comment="Property LoadState of service {{{ SERVICENAME }}} is masked" test_ref="test_service_loadstate_is_masked_{{{ SERVICENAME }}}" />
- <criterion comment="Property FragmentPath of service {{{ SERVICENAME }}} is set to /dev/null" test_ref="test_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" />
</criteria>
</criteria>
</definition>
@@ -41,18 +40,6 @@
<linux:value>masked</linux:value>
</linux:systemdunitproperty_state>
- <linux:systemdunitproperty_test id="test_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" check="all" check_existence="any_exist" comment="Test that the property FragmentPath from the service {{{ SERVICENAME }}} is set to /dev/null" version="1">
- <linux:object object_ref="obj_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}"/>
- <linux:state state_ref="state_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}"/>
- </linux:systemdunitproperty_test>
- <linux:systemdunitproperty_object id="obj_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" comment="Retrieve the FragmentPath property of {{{ SERVICENAME }}}" version="1">
- <linux:unit operation="pattern match">^{{{ SERVICENAME }}}\.(service|socket)$</linux:unit>
- <linux:property>FragmentPath</linux:property>
- </linux:systemdunitproperty_object>
- <linux:systemdunitproperty_state id="state_service_fragmentpath_is_dev_null_{{{ SERVICENAME }}}" version="1" comment="FragmentPath is set to /dev/null">
- <linux:value>/dev/null</linux:value>
- </linux:systemdunitproperty_state>
-
{{% else %}}
{{% if init_system != "systemd" %}}

256
scap-security-guide-0.1.58-ism_ks-PR_7392.patch
View File

@ -1,256 +0,0 @@
From 86e1556555fde19d3b6bfa7e280c8d9faf6243d3 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 16 Aug 2021 13:08:10 +0200
Subject: [PATCH] Add ISM Official kickstarts
---
.../rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg | 116 ++++++++++++++++++
.../rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg | 116 ++++++++++++++++++
2 files changed, 232 insertions(+)
create mode 100644 products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
create mode 100644 products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
diff --git a/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
new file mode 100644
index 0000000000..d84d98b12d
--- /dev/null
+++ b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
@@ -0,0 +1,116 @@
+# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2021-08-16
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_ism_o
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
new file mode 100644
index 0000000000..517919539a
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
@@ -0,0 +1,116 @@
+# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-16
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot enable device at a boot time
+# --device device to be activated and / or configured with the network command
+# --bootproto method to obtain networking configuration for device (default dhcp)
+# --noipv6 disable IPv6 on this device
+#
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled reject incoming connections that are not in response to outbound requests
+# --ssh allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux erase all Linux partitions
+# --initlabel initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+ content-type = scap-security-guide
+ profile = xccdf_org.ssgproject.content_profile_ism_o
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject attempt to eject CD or DVD media before rebooting
+reboot --eject

1834
scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch
View File

File diff suppressed because it is too large Load Diff

39
scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch
View File

@ -1,39 +0,0 @@
From bd790153e02c1d1725f59f5d88c65c77eb1421e9 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 24 Aug 2021 12:48:46 +0200
Subject: [PATCH] Add a new selector for var_system_crypto_policy and use it
RHEL8 CIS.
This new selector is used to select explicit DEFAULT value in RHEL8 CIS
L1 profiles. The "default" selector cannot be selected and it causes
errors if used.
---
controls/cis_rhel8.yml | 2 +-
.../software/integrity/crypto/var_system_crypto_policy.var | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 29d972427cf..c0d3f5f40de 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -553,7 +553,7 @@ controls:
automated: yes
rules:
- configure_crypto_policy
- - var_system_crypto_policy=default
+ - var_system_crypto_policy=default_policy
# This rule works in conjunction with the configure_crypto_policy above.
# If a system is remediated to CIS Level 1, just the rule above will apply
diff --git a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
index ce301154a39..8b89848d122 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
@@ -13,6 +13,7 @@ interactive: false
options:
default: DEFAULT
+ default_policy: DEFAULT
default_nosha1: "DEFAULT:NO-SHA1"
fips: FIPS
fips_ospp: "FIPS:OSPP"

186
scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
View File

@ -1,186 +0,0 @@
From cc74d1a5735272c7fe50bff4bb0c2fe049c1f868 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Aug 2021 15:05:35 +0200
Subject: [PATCH 1/3] Add cpe platform for s390x arch
---
.../guide/system/bootloader-zipl/group.yml | 2 +-
shared/applicability/arch.yml | 12 +++++++
shared/applicability/general.yml | 5 ---
...oc_sys_kernel_osrelease_arch_not_s390x.xml | 22 ++-----------
.../proc_sys_kernel_osrelease_arch_s390x.xml | 33 +++++++++++++++++++
5 files changed, 48 insertions(+), 26 deletions(-)
create mode 100644 shared/applicability/arch.yml
create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
index 64c6c8dffbe..4f8ce753726 100644
--- a/linux_os/guide/system/bootloader-zipl/group.yml
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -8,4 +8,4 @@ description: |-
options to it.
The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
-platform: zipl
+platform: s390x_arch
diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
new file mode 100644
index 00000000000..48b2aa3ef30
--- /dev/null
+++ b/shared/applicability/arch.yml
@@ -0,0 +1,12 @@
+cpes:
+
+ - not_s390x_arch:
+ name: "cpe:/a:not_s390x_arch"
+ title: "System architecture is not S390X"
+ check_id: proc_sys_kernel_osrelease_arch_not_s390x
+
+ - s390x_arch:
+ name: "cpe:/a:s390x_arch"
+ title: "System architecture is S390X"
+ check_id: proc_sys_kernel_osrelease_arch_s390x
+
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 7382b7dd302..6e3ecfd9bf9 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -24,11 +24,6 @@ cpes:
title: "Package net-snmp is installed"
check_id: installed_env_has_net-snmp_package
- - not_s390x_arch:
- name: "cpe:/a:not_s390x_arch"
- title: "System architecture is not S390X"
- check_id: proc_sys_kernel_osrelease_arch_not_s390x
-
- nss-pam-ldapd:
name: "cpe:/a:nss-pam-ldapd"
title: "Package nss-pam-ldapd is installed"
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
index 1fc625a1e75..d95ce249c49 100644
--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
@@ -9,26 +9,8 @@
<description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</description>
</metadata>
<criteria>
- <criterion comment="Architecture is not s390x"
- test_ref="test_proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
+ <extend_definition comment="Architecture is not s390x"
+ definition_ref="proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="proc_sys_kernel is for s390x architecture"
- id="test_proc_sys_kernel_osrelease_arch_s390x"
- version="1">
- <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
- <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
- <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
- <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
- <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
- </ind:textfilecontent54_state>
-
</def-group>
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
new file mode 100644
index 00000000000..abc6f1b0b88
--- /dev/null
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -0,0 +1,33 @@
+<def-group>
+ <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
+ version="1">
+ <metadata>
+ <title>Test for different architecture than s390x</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Architecture is s390x"
+ test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="proc_sys_kernel is for s390x architecture"
+ id="test_proc_sys_kernel_osrelease_arch_s390x"
+ version="1">
+ <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
+ <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
+ <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
+ <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
From 527728eb84fc152bec4ef49b244999f763dc901f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Aug 2021 16:16:11 +0200
Subject: [PATCH 2/3] Remove zipl CPE platform
The package names for zipl changed recently.
As zipl is an s390 exclusive, lets use the arch check instead of
package name check.
---
shared/applicability/bootloaders.yml | 5 -----
1 file changed, 5 deletions(-)
diff --git a/shared/applicability/bootloaders.yml b/shared/applicability/bootloaders.yml
index 57832118447..6856578621c 100644
--- a/shared/applicability/bootloaders.yml
+++ b/shared/applicability/bootloaders.yml
@@ -4,8 +4,3 @@ cpes:
name: "cpe:/a:grub2"
title: "Package grub2 is installed"
check_id: installed_env_has_grub2_package
-
- - zipl:
- name: "cpe:/a:zipl"
- title: "System uses zipl"
- check_id: installed_env_has_zipl_package
From 985090ffcf34c1d27c526760ef5009605060b3f1 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 19:53:59 +0200
Subject: [PATCH 3/3] Fix typo in check title
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
Co-authored-by: Jan Černý <jcerny@redhat.com>
---
shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
index abc6f1b0b88..7f416de6475 100644
--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -2,7 +2,7 @@
<definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
version="1">
<metadata>
- <title>Test for different architecture than s390x</title>
+ <title>Test that the architecture is s390x</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>

74
scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch
View File

@ -1,74 +0,0 @@
From ea37df6b736d22f32fd0d64457d731aa76b656c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 18 Aug 2021 16:17:15 +0200
Subject: [PATCH 1/2] Come up with a better basename
On Red Hat systems, there is 50-redhat.conf, so
60-complianceascode.conf seems to be a generally good fit.
---
shared/templates/sshd_lineinfile/bash.template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
index eac758e310b..e15ab9521b8 100644
--- a/shared/templates/sshd_lineinfile/bash.template
+++ b/shared/templates/sshd_lineinfile/bash.template
@@ -11,8 +11,9 @@ mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/hardening
{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}
{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}
+{{%- set hardening_config_basename = "00-complianceascode-hardening.conf" %}}
{{{ set_config_file(
- path="/etc/ssh/sshd_config.d/hardening",
+ path="/etc/ssh/sshd_config.d/" ~ hardening_config_basename,
parameter=PARAMETER,
value=VALUE,
create=true,
From 9fc6f549d9494730c4d973330a24a5a2a209b1c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 18 Aug 2021 17:51:17 +0200
Subject: [PATCH 2/2] Fix the sshd directory config check
The check should consider only files matching .*\.conf
---
.../sshd_disable_pubkey_auth/tests/conflict.fail.sh | 4 ++--
.../tests/correct_value_directory.pass.sh | 2 +-
shared/macros-oval.jinja | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
index 177a99e0b82..6e064ffc739 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
@@ -11,5 +11,5 @@ else
echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
fi
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config
-echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config.conf
+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
index 0aa2e775dbe..acb650915fe 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
@@ -11,4 +11,4 @@ else
echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
fi
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct.conf
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 87e0fd7d87d..f2fa7d79fc8 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -227,7 +227,7 @@
{{%- endmacro %}}
{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
-{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}
+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}}
{{%- endmacro %}}
{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}

664
scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
View File

@ -1,664 +0,0 @@
From b951a896d3ef1e678e5d6b580521053e7a076ab0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 29 Apr 2021 16:54:03 +0200
Subject: [PATCH 1/6] Updated checks and remediations of the sshd template.
Configuration of sshd moves from one config file to a config directory.
Therefore, checks should consider all those files, and the remediation should aim
to deliver fixes to one of those files in the config directory.
Tests that interact with this behavior have been added and are applicable for Fedora and RHEL9 products.
---
.../tests/commented.fail.sh | 7 ++
.../tests/conflict.fail.sh | 15 ++++
.../tests/correct_value_directory.pass.sh | 14 ++++
shared/macros-bash.jinja | 9 +++
shared/macros-oval.jinja | 61 +++++++++++------
.../templates/sshd_lineinfile/bash.template | 22 ++++++
.../templates/sshd_lineinfile/oval.template | 68 +++++++++++++++++--
7 files changed, 168 insertions(+), 28 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
new file mode 100644
index 00000000000..484c2165532
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config
+else
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
new file mode 100644
index 00000000000..177a99e0b82
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# platform = Fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+else
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
+fi
+
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config
+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
new file mode 100644
index 00000000000..0aa2e775dbe
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# platform = Fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+else
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
+fi
+
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 1cd2c62b5e0..b4518d83c19 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -471,6 +471,15 @@ fi
LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}"
{{%- endmacro -%}}
+{{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}}
+ {{%- if insensitive -%}}
+ {{%- set modifier="Id" -%}}
+ {{%- else -%}}
+ {{%- set modifier="d" -%}}
+ {{%- endif -%}}
+LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/*
+{{%- endmacro -%}}
+
{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}}
{{%- if insensitive -%}}
{{%- set grep_args="-q -m 1 -i" -%}}
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index be2ac268206..d38db96d9e3 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -92,15 +92,18 @@
- parameter (String): The parameter to be checked in the configuration file.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
#}}
-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false) -%}}
+{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}}
{{%- set suffix_id = "" -%}}
{{%- set prefix_text = "Check the" -%}}
{{%- if missing_parameter_pass %}}
{{%- set suffix_id = suffix_id_default_not_overriden -%}}
{{%- set prefix_text = prefix_text + " absence of" -%}}
{{%- endif %}}
- <criterion comment="{{{ prefix_text }}} {{{ parameter }}} in {{{ path }}}"
- test_ref="test_{{{ rule_id }}}{{{ suffix_id }}}" />
+{{%- if not comment -%}}
+{{%- set comment = prefix_text ~ " " ~ parameter ~ " in " ~ path -%}}
+{{%- endif -%}}
+<criterion comment="{{{ comment }}}"
+ test_ref="test_{{{ id_stem }}}{{{ suffix_id }}}" />
{{%- endmacro %}}
{{#
@@ -110,7 +113,7 @@
- parameter (String): The parameter to be checked in the configuration file.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
#}}
-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false) -%}}
+{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}}
{{%- set suffix_id = "" -%}}
{{%- if missing_parameter_pass %}}
{{%- set check_existence = "none_exist" -%}}
@@ -120,14 +123,14 @@
{{%- set check_existence = "all_exist" -%}}
{{%- set prefix_text = "value" -%}}
{{%- endif %}}
- <ind:textfilecontent54_test check="all" check_existence="{{{ check_existence }}}"
+<ind:textfilecontent54_test check="all" check_existence="{{{ check_existence }}}"
comment="tests the {{{ prefix_text }}} of {{{ parameter }}} setting in the {{{ path }}} file"
- id="test_{{{ rule_id }}}{{{ suffix_id }}}" version="1">
- <ind:object object_ref="obj_{{{ rule_id }}}{{{ suffix_id }}}" />
+ id="test_{{{ id_stem }}}{{{ suffix_id }}}" version="1">
+ <ind:object object_ref="obj_{{{ id_stem }}}{{{ suffix_id }}}" />
{{%- if not missing_parameter_pass %}}
- <ind:state state_ref="state_{{{ rule_id }}}{{{ suffix_id }}}" />
+ <ind:state state_ref="state_{{{ id_stem }}}{{{ suffix_id }}}" />
{{%- endif %}}
- </ind:textfilecontent54_test>
+</ind:textfilecontent54_test>
{{%- endmacro %}}
{{#
@@ -141,7 +144,7 @@
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
#}}
-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='') -%}}
+{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}}
{{%- set suffix_id = "" -%}}
{{%- if multi_value -%}}
{{%- set group_regex = "([^#]*).*$" -%}}
@@ -173,16 +176,16 @@
{{%- set regex = prefix_regex+parameter+separator_regex+group_regex -%}}
{{%- endif %}}
{{%- endif %}}
- <ind:textfilecontent54_object id="obj_{{{ rule_id }}}{{{ suffix_id }}}" version="1">
+<ind:textfilecontent54_object id="obj_{{{ id_stem }}}{{{ suffix_id }}}" version="1">
{{%- if filepath_regex %}}
- <ind:path>{{{ path }}}</ind:path>
- <ind:filename operation="pattern match">{{{ filepath_regex }}}</ind:filename>
+ <ind:path>{{{ path }}}</ind:path>
+ <ind:filename operation="pattern match">{{{ filepath_regex }}}</ind:filename>
{{%- else %}}
- <ind:filepath>{{{ path }}}</ind:filepath>
+ <ind:filepath>{{{ path }}}</ind:filepath>
{{%- endif %}}
- <ind:pattern operation="pattern match">{{{ regex }}}</ind:pattern>
- <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+ <ind:pattern operation="pattern match">{{{ regex }}}</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+</ind:textfilecontent54_object>
{{%- endmacro %}}
{{#
@@ -193,7 +196,7 @@
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
#}}
-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}}
{{%- set regex = value -%}}
{{%- if quotes != "" %}}
{{%- if "\\1" in value > 0 %}}
@@ -206,9 +209,25 @@
{{%- else %}}
{{%- set regex = "^"+regex+"$" -%}}
{{%- endif %}}
- <ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
- <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
- </ind:textfilecontent54_state>
+<ind:textfilecontent54_state id="state_{{{ id_stem }}}" version="1">
+ <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
+</ind:textfilecontent54_state>
+{{%- endmacro %}}
+
+{{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false) -%}}
+{{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") -}}}
+{{%- endmacro %}}
+
+{{%- macro oval_line_in_directory_test(path='', parameter='', missing_parameter_pass=false) -%}}
+{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") }}}
+{{%- endmacro %}}
+
+{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}
+{{%- endmacro %}}
+
+{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}
+{{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}}
{{%- endmacro %}}
{{#
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
index ca1b512bb3d..eac758e310b 100644
--- a/shared/templates/sshd_lineinfile/bash.template
+++ b/shared/templates/sshd_lineinfile/bash.template
@@ -3,4 +3,26 @@
# strategy = restrict
# complexity = low
# disruption = low
+{{%- if product in ("fedora", "rhel9") %}}
+{{%- set prefix_regex = "^\s*" -%}}
+{{%- set separator_regex = "\s\+" -%}}
+{{%- set line_regex = prefix_regex ~ PARAMETER ~ separator_regex %}}
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/hardening
+{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}
+{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}
+{{{ set_config_file(
+ path="/etc/ssh/sshd_config.d/hardening",
+ parameter=PARAMETER,
+ value=VALUE,
+ create=true,
+ insert_after="",
+ insert_before="^Match",
+ insensitive=true,
+ separator=" ",
+ separator_regex=separator_regex,
+ prefix_regex=prefix_regex)
+ }}}
+{{%- else %}}
{{{ bash_sshd_config_set(parameter=PARAMETER, value=VALUE) }}}
+{{%- endif %}}
diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template
index df63d542505..2cc38776eb2 100644
--- a/shared/templates/sshd_lineinfile/oval.template
+++ b/shared/templates/sshd_lineinfile/oval.template
@@ -1,7 +1,61 @@
-{{{
-oval_sshd_config(
- parameter=PARAMETER,
- value=VALUE,
- missing_parameter_pass=MISSING_PARAMETER_PASS
-)
-}}}
+{{%- set config_path = "/etc/ssh/sshd_config" %}}
+{{%- set config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set products_with_distributed_configuration = ("rhel9", "fedora") -%}}
+{{%- set description = "Ensure '" ~ PARAMETER ~ "' is configured with value '" ~ VALUE ~ "' in " ~ config_path %}}
+{{%- if product in products_with_distributed_configuration %}}
+{{%- set description = description ~ " and in " ~ config_dir -%}}
+{{%- endif %}}
+{{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}}
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata(description) }}}
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criteria comment="sshd is configured correctly" operator="OR">
+ {{{- oval_line_in_file_criterion(config_path, PARAMETER) | indent(8) }}}
+ {{%- if MISSING_PARAMETER_PASS %}}
+ <criteria comment="sshd is not configured incorrectly" operator="AND">
+ {{{- oval_line_in_file_criterion(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(10)}}}
+ {{%- if product in products_with_distributed_configuration %}}
+ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER, MISSING_PARAMETER_PASS) | indent(10) }}}
+ {{%- endif %}}
+ </criteria>
+ {{%- endif %}}
+ {{%- if product in products_with_distributed_configuration %}}
+ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER) | indent(8) }}}
+ {{%- endif %}}
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+ {{{ oval_line_in_file_test(config_path, PARAMETER) | indent (2) }}}
+ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, ** case_insensitivity_kwargs)| indent (2) }}}
+ {{{ oval_line_in_file_state(VALUE) | indent (2) }}}
+
+ {{%- if MISSING_PARAMETER_PASS %}}
+ {{{ oval_line_in_file_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}}
+ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}}
+ {{%- endif %}}
+
+ {{%- if product in products_with_distributed_configuration %}}
+ {{{ oval_line_in_directory_test(config_dir, PARAMETER) | indent (2) }}}
+ {{{ oval_line_in_directory_object(config_dir, parameter=PARAMETER, ** case_insensitivity_kwargs) | indent (2) }}}
+ {{{ oval_line_in_directory_state(VALUE) | indent (2) }}}
+
+ {{%- if MISSING_PARAMETER_PASS %}}
+ {{{ oval_line_in_directory_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}}
+ {{{ oval_line_in_directory_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}}
+ {{%- endif %}}
+ {{%- endif %}}
+</def-group>
From b0f86c11fa0fb45b32b53833b5d3565c7eb73cfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 30 Apr 2021 11:52:22 +0200
Subject: [PATCH 2/6] Improved the lineinfile template.
It now escapes the text contents if parts of them could be incorrectly interpreted as regexes.
---
shared/macros-bash.jinja | 2 +-
shared/templates/lineinfile/oval.template | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index b4518d83c19..d654a0e0e89 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -445,7 +445,7 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2
# prefix_regex: regular expression describing allowed leading characters at each line
#}}
{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}}
- {{%- set line_regex = prefix_regex+parameter+separator_regex -%}}
+ {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}}
{{%- set new_line = parameter+separator+value -%}}
if [ -e "{{{ path }}}" ] ; then
{{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}}
diff --git a/shared/templates/lineinfile/oval.template b/shared/templates/lineinfile/oval.template
index a38856d9177..644327b7d6e 100644
--- a/shared/templates/lineinfile/oval.template
+++ b/shared/templates/lineinfile/oval.template
@@ -1,4 +1,4 @@
-{{%- set regex = "^[\s]*" + TEXT + "[\s]*$" -%}}
+{{%- set regex = "^[\s]*" ~ (TEXT | escape_regex) ~ "[\s]*$" -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check presence of " + TEXT + " in " + PATH) }}}
From 6953f74d1ab168e7ccc3f28877621edff317fef2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 30 Apr 2021 11:54:12 +0200
Subject: [PATCH 3/6] Introduced the sshd_use_directory_configuration rule.
The rule makes sure that the sshd configuration is distributed in the
/etc/ssh/sshd_config.d/ directory, and therefore it makes sense to scan that directory
in another rules.
---
.../bash/shared.sh | 15 ++++++++++
.../oval/shared.xml | 29 +++++++++++++++++++
.../sshd_use_directory_configuration/rule.yml | 26 +++++++++++++++++
.../tests/match.fail.sh | 4 +++
.../tests/simple.fail.sh | 3 ++
.../tests/simple.pass.sh | 4 +++
shared/references/cce-redhat-avail.txt | 1 -
shared/templates/extra_ovals.yml | 6 ++++
8 files changed, 87 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
new file mode 100644
index 00000000000..2ff58ec373c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
@@ -0,0 +1,15 @@
+# platform = multi_platform_all
+
+{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}
+if test -f {{{ target_file}}}; then
+ {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}
+else
+ mkdir -p /etc/ssh/sshd_config.d
+ mv /etc/ssh/sshd_config {{{ target_file }}}
+cat > /etc/ssh/sshd_config << EOF
+# To modify the system-wide sshd configuration, create a *.conf file under
+# /etc/ssh/sshd_config.d/ which will be automatically included below
+
+Include /etc/ssh/sshd_config.d/*.conf
+EOF
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
new file mode 100644
index 00000000000..0ffb429adff
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
@@ -0,0 +1,29 @@
+{{%- set config_path = "/etc/ssh/sshd_config" %}}
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("foo") }}}
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criteria comment="sshd is configured correctly" operator="AND">
+ <extend_definition comment="sshd includes config files from its .d directory"
+ definition_ref="sshd_includes_config_files" />
+ {{{- oval_line_in_file_criterion(config_path, "match", missing_parameter_pass=true) | indent(8) }}}
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+ {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true) | indent (2) }}}
+ {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+") | indent (2) }}}
+</def-group>
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
new file mode 100644
index 00000000000..8c370036e61
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+prodtype: fedora,rhel9
+
+title: 'Distribute the SSH Server configuration to multiple files in a config directory.'
+
+description: |-
+ Make sure to have the <tt>Include /etc/ssh/sshd_config.d/*.conf</tt> line in the <tt>/etc/ssh/sshd_config</tt> file.
+ Ideally, don't have any active configuration directives in that file, and distribute the service configuration
+ to several files in the <tt>/etc/ssh/sshd_config.d</tt> directory.
+
+rationale: |-
+ This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the <tt>/etc/ssh/sshd_config.d</tt> config directory are effective, there has to be a rule that ensures this.
+ Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-87681-3
+
+ocil_clause: "you don't include other configuration files from the main configuration file"
+
+ocil: |-
+ To determine whether the SSH server includes configuration files from the right directory, run the following command:
+ <pre>$ sudo grep -i '^Include' /etc/ssh/sshd_config</pre>
+ If a line <tt>Include /etc/ssh/sshd_config.d/*.conf</tt> is returned, then the configuration file inclusion is set correctly.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
new file mode 100644
index 00000000000..fa2ee0654f2
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+echo "Match something" >> /etc/ssh/sshd_config
+echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
new file mode 100644
index 00000000000..a6013ad7cfa
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+echo "include /etc/ssh/sshd_config.d/.*" > /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
new file mode 100644
index 00000000000..7a26f521415
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+# Handling of case-insensitivity of include is tricky
+echo "Include /etc/ssh/sshd_config.d/*.conf" > /etc/ssh/sshd_config
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 73d025484e6..40a2b9b5868 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1780,7 +1780,6 @@ CCE-87677-1
CCE-87678-9
CCE-87679-7
CCE-87680-5
-CCE-87681-3
CCE-87682-1
CCE-87683-9
CCE-87684-7
diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml
index 095d911ee1c..69062ebe541 100644
--- a/shared/templates/extra_ovals.yml
+++ b/shared/templates/extra_ovals.yml
@@ -57,3 +57,9 @@ service_syslog_disabled:
vars:
servicename: syslog
packagename: rsyslog
+
+sshd_includes_config_files:
+ name: lineinfile
+ vars:
+ path: /etc/ssh/sshd_config
+ text: "Include /etc/ssh/sshd_config.d/*.conf"
From d7fcab7ad66e77bb7ccba507e3f024bc892c3864 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 11 May 2021 16:06:29 +0200
Subject: [PATCH 4/6] Improved error reporting related to macros.
---
ssg/jinja.py | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/ssg/jinja.py b/ssg/jinja.py
index a46246ad0fb..28edd9a6dcd 100644
--- a/ssg/jinja.py
+++ b/ssg/jinja.py
@@ -153,16 +153,20 @@ def load_macros(substitutions_dict=None):
add_python_functions(substitutions_dict)
try:
- update_substitutions_dict(JINJA_MACROS_BASE_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_HIGHLEVEL_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_ANSIBLE_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_BASH_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_OVAL_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_IGNITION_DEFINITIONS, substitutions_dict)
- update_substitutions_dict(JINJA_MACROS_KUBERNETES_DEFINITIONS, substitutions_dict)
+ filenames = [
+ JINJA_MACROS_BASE_DEFINITIONS,
+ JINJA_MACROS_HIGHLEVEL_DEFINITIONS,
+ JINJA_MACROS_ANSIBLE_DEFINITIONS,
+ JINJA_MACROS_BASH_DEFINITIONS,
+ JINJA_MACROS_OVAL_DEFINITIONS,
+ JINJA_MACROS_IGNITION_DEFINITIONS,
+ JINJA_MACROS_KUBERNETES_DEFINITIONS,
+ ]
+ for filename in filenames:
+ update_substitutions_dict(filename, substitutions_dict)
except Exception as exc:
- msg = ("Error extracting macro definitions: {0}"
- .format(str(exc)))
+ msg = ("Error extracting macro definitions from '{1}': {0}"
+ .format(str(exc), filename))
raise RuntimeError(msg)
return substitutions_dict
From df45c3fa295a2dc5a23cc347657964df6453cbae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 11 May 2021 16:44:50 +0200
Subject: [PATCH 5/6] Removed devault values that are variables from Jinja
Support in older jinja2 packages is not in a good shape.
---
shared/macros-oval.jinja | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index d38db96d9e3..87e0fd7d87d 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -92,7 +92,8 @@
- parameter (String): The parameter to be checked in the configuration file.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
#}}
-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}}
+{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem='') -%}}
+{{%- set id_stem = id_stem or rule_id -%}}
{{%- set suffix_id = "" -%}}
{{%- set prefix_text = "Check the" -%}}
{{%- if missing_parameter_pass %}}
@@ -113,7 +114,8 @@
- parameter (String): The parameter to be checked in the configuration file.
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
#}}
-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}}
+{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem='') -%}}
+{{%- set id_stem = id_stem or rule_id -%}}
{{%- set suffix_id = "" -%}}
{{%- if missing_parameter_pass %}}
{{%- set check_existence = "none_exist" -%}}
@@ -144,7 +146,8 @@
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
#}}
-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}}
+{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem='') -%}}
+{{%- set id_stem = id_stem or rule_id -%}}
{{%- set suffix_id = "" -%}}
{{%- if multi_value -%}}
{{%- set group_regex = "([^#]*).*$" -%}}
@@ -196,7 +199,8 @@
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
#}}
-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}}
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem='') -%}}
+{{%- set id_stem = id_stem or rule_id -%}}
{{%- set regex = value -%}}
{{%- if quotes != "" %}}
{{%- if "\\1" in value > 0 %}}
From a3ec49f75ac3059d7096985e08e10005db96330a Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 30 Jul 2021 17:25:25 +0200
Subject: [PATCH 6/6] Don't remediate when it is inappropriate
Don't remediate when the config file already contains the include
directive.
---
.../sshd_use_directory_configuration/bash/shared.sh | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
index 2ff58ec373c..9317b23992d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
@@ -1,12 +1,15 @@
# platform = multi_platform_all
{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}
+{{% set base_config = "/etc/ssh/sshd_config" -%}}
if test -f {{{ target_file}}}; then
{{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}
+elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then
+ {{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}}
else
mkdir -p /etc/ssh/sshd_config.d
- mv /etc/ssh/sshd_config {{{ target_file }}}
-cat > /etc/ssh/sshd_config << EOF
+ mv {{{ base_config }}} {{{ target_file }}}
+cat > {{{ base_config }}} << EOF
# To modify the system-wide sshd configuration, create a *.conf file under
# /etc/ssh/sshd_config.d/ which will be automatically included below

942
scap-security-guide-0.1.58-various_fixes-PR_7335.patch
View File

@ -1,942 +0,0 @@
From 089c47d6301bb53bb182cbdacf72968979547994 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 30 Jul 2021 16:57:13 +0200
Subject: [PATCH 1/5] Enable more RHEL9 content
---
.../ssh/ssh_client/ssh_client_rekey_limit/rule.yml | 3 ++-
.../disable_ctrlaltdel_burstaction/bash/shared.sh | 2 +-
.../disable_ctrlaltdel_reboot/bash/shared.sh | 4 ----
.../smart_card_login/package_pcsc-lite_installed/rule.yml | 3 ++-
.../smart_card_login/service_pcscd_enabled/rule.yml | 3 ++-
.../root_logins/use_pam_wheel_for_su/rule.yml | 3 ++-
.../user_umask/accounts_umask_etc_csh_cshrc/rule.yml | 3 ++-
.../installed_OS_is_FIPS_certified/oval/shared.xml | 1 +
.../rule.yml | 3 ++-
products/rhel9/profiles/hipaa.profile | 6 +++---
products/rhel9/profiles/ospp.profile | 8 ++++----
products/rhel9/profiles/pci-dss.profile | 4 ++--
shared/references/cce-redhat-avail.txt | 6 ------
13 files changed, 23 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
index f43f92c2f15..c0fbe2c5e34 100644
--- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhel8,rhel9,rhcos4
title: 'Configure session renegotiation for SSH client'
@@ -27,6 +27,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82880-6
+ cce@rhel9: CCE-87522-9
references:
disa: CCI-000068
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
index 7d4faedfb47..d8063726fb4 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
index 94767ad5993..4cbf5c84651 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/bash/shared.sh
@@ -1,9 +1,5 @@
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
{{%- if init_system == "systemd" -%}}
-{{% if product in ["rhel7", "rhel8"] %}}
-# The process to disable ctrl+alt+del has changed in RHEL7.
-# Reference: https://access.redhat.com/solutions/1123873
-{{% endif %}}
systemctl disable --now ctrl-alt-del.target
systemctl mask --now ctrl-alt-del.target
{{%- else -%}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
index 0652fbeadaf..9c6534cf401 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Install the pcsc-lite package'
@@ -16,6 +16,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-82347-6
cce@rhel8: CCE-80993-9
+ cce@rhel9: CCE-86280-5
references:
disa: CCI-001954
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
index e14db48c22a..6472ade5791 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
title: 'Enable the pcscd Service'
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80569-7
cce@rhel8: CCE-80881-6
+ cce@rhel9: CCE-87907-2
references:
disa: CCI-001954
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
index a6862c2af25..984a8cf333e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,ubuntu2004
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004
title: 'Enforce usage of pam_wheel for su authentication'
@@ -20,6 +20,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-85855-5
cce@rhel8: CCE-83318-6
+ cce@rhel9: CCE-90085-2
references:
cis@rhel7: "5.7"
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
index 1b71c7d3acd..3779b396b4e 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,sle15,ubuntu2004
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle15,ubuntu2004
title: 'Ensure the Default C Shell Umask is Set Correctly'
@@ -20,6 +20,7 @@ identifiers:
cce@rhcos4: CCE-84261-7
cce@rhel7: CCE-80203-3
cce@rhel8: CCE-81037-4
+ cce@rhel9: CCE-87721-7
references:
cis-csc: '18'
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
index a65bec7348c..3a4847ff9d8 100644
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
@@ -6,6 +6,7 @@
<criteria comment="Installed operating system is a certified operating system" operator="OR">
<extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
<extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
+ <!--extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" /-->
<extend_definition comment="Installed OS is RHCOS4" definition_ref="installed_OS_is_rhcos4" />
<extend_definition comment="Installed OS is OL7" definition_ref="installed_OS_is_ol7_family" />
<extend_definition comment="Installed OS is SLE12" definition_ref="installed_OS_is_sle12" />
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 8b6577226fb..4f49b3b825d 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8
+prodtype: rhel8,rhel9
title: 'Install dnf-plugin-subscription-manager Package'
@@ -17,6 +17,7 @@ severity: medium
identifiers:
cce@rhel8: CCE-82315-3
+ cce@rhel9: CCE-89879-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 1e0ea047b98..797c62708e2 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -33,9 +33,9 @@ selections:
- require_singleuser_auth
- restrict_serial_port_logins
- securetty_root_login_console_only
- - service_debug-shell_disabled # not supported in RHEL9 ATM
- - disable_ctrlaltdel_reboot # not supported in RHEL9 ATM
- - disable_ctrlaltdel_burstaction # not supported in RHEL9 ATM
+ - service_debug-shell_disabled
+ - disable_ctrlaltdel_reboot
+ - disable_ctrlaltdel_burstaction
- dconf_db_up_to_date
- dconf_gnome_remote_access_credential_prompt
- dconf_gnome_remote_access_encryption
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 0ae391c60bf..adec0cbd774 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -107,7 +107,7 @@ selections:
- var_accounts_user_umask=027
- accounts_umask_etc_profile
- accounts_umask_etc_bashrc
-# - accounts_umask_etc_csh_cshrc # not supported in RHEL9 ATM
+ - accounts_umask_etc_csh_cshrc
### Software update
- ensure_redhat_gpgkey_installed
@@ -177,7 +177,7 @@ selections:
- package_aide_installed
- package_dnf-automatic_installed
- package_subscription-manager_installed
-# - package_dnf-plugin-subscription-manager_installed # not supported in RHEL9 ATM
+ - package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed
@@ -221,7 +221,7 @@ selections:
- securetty_root_login_console_only
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
-# - use_pam_wheel_for_su # not supported in RHEL9 ATM
+ - use_pam_wheel_for_su
### SELinux Configuration
- var_selinux_state=enforcing
@@ -422,7 +422,7 @@ selections:
- kerberos_disable_no_keytab
# set ssh client rekey limit
-# - ssh_client_rekey_limit # not supported in RHEL9 ATM
+ - ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index af347501989..1fe85d39ae0 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -121,8 +121,8 @@ selections:
- var_smartcard_drivers=cac
- configure_opensc_card_drivers
- force_opensc_card_drivers
-# - package_pcsc-lite_installed # not supported in RHEL9 ATM
-# - service_pcscd_enabled # not supported in RHEL9 ATM
+ - package_pcsc-lite_installed
+ - service_pcscd_enabled
- sssd_enable_smartcards
- set_password_hashing_algorithm_systemauth
- set_password_hashing_algorithm_logindefs
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index aa0b30da834..e78838a45aa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -396,7 +396,6 @@ CCE-86276-3
CCE-86277-1
CCE-86278-9
CCE-86279-7
-CCE-86280-5
CCE-86281-3
CCE-86282-1
CCE-86283-9
@@ -1618,7 +1617,6 @@ CCE-87518-7
CCE-87519-5
CCE-87520-3
CCE-87521-1
-CCE-87522-9
CCE-87523-7
CCE-87525-2
CCE-87526-0
@@ -1812,7 +1810,6 @@ CCE-87717-5
CCE-87718-3
CCE-87719-1
CCE-87720-9
-CCE-87721-7
CCE-87722-5
CCE-87723-3
CCE-87724-1
@@ -1994,7 +1991,6 @@ CCE-87903-1
CCE-87904-9
CCE-87905-6
CCE-87906-4
-CCE-87907-2
CCE-87908-0
CCE-87909-8
CCE-87910-6
@@ -3932,7 +3928,6 @@ CCE-89874-2
CCE-89875-9
CCE-89877-5
CCE-89878-3
-CCE-89879-1
CCE-89880-9
CCE-89881-7
CCE-89882-5
@@ -4135,7 +4130,6 @@ CCE-90081-1
CCE-90082-9
CCE-90083-7
CCE-90084-5
-CCE-90085-2
CCE-90086-0
CCE-90087-8
CCE-90088-6
From 190cad8bc4ef957583b9e29c1508a1be43660388 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 4 Aug 2021 16:30:45 +0200
Subject: [PATCH 2/5] Fix remediation platforms of RHEL9 rules
---
.../configure_bashrc_exec_tmux/bash/shared.sh | 2 +-
.../configure_tmux_lock_after_time/bash/shared.sh | 2 +-
.../configure_tmux_lock_command/bash/shared.sh | 2 +-
.../console_screen_locking/no_tmux_in_shells/bash/shared.sh | 2 +-
.../software/integrity/fips/enable_fips_mode/bash/shared.sh | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
index 0c544bfbb82..737d725872d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
cat >> /etc/bashrc <<'EOF'
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
index 233047afcbc..947e1dd7ee5 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
tmux_conf="/etc/tmux.conf"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
index f2430618ab3..0c11c1224e2 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
+# platform = multi_platform_all
tmux_conf="/etc/tmux.conf"
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
index 45c43e8d374..60e0a7e34c8 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_all
if grep -q 'tmux$' /etc/shells ; then
sed -i '/tmux$/d' /etc/shells
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
index 87476a7b315..c98847ded72 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
fips-mode-setup --enable
From 5b23f796b261325ad27b3c1684d3c9430a42679f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 4 Aug 2021 17:56:57 +0200
Subject: [PATCH 3/5] Update the grub config path
RHEL9 and Fedora EFI/legacy grub paths have been unified:
https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
The location of Ubuntu EFI grub paths has been estimated from
https://askubuntu.com/questions/1028742/update-grub-does-not-update-boot-efi-efi-ubuntu-grub-cfg
Location of SLE EFI grub paths has been taken from existing rules
---
.../grub2_uefi_admin_username/oval/shared.xml | 16 ++++---------
.../uefi/grub2_uefi_admin_username/rule.yml | 2 +-
.../uefi/grub2_uefi_password/oval/shared.xml | 24 +++++++------------
.../uefi/grub2_uefi_password/rule.yml | 10 ++++----
.../uefi_no_removeable_media/oval/shared.xml | 16 ++++---------
products/fedora/product.yml | 2 ++
products/rhel7/product.yml | 2 ++
products/rhel8/product.yml | 2 ++
products/rhel9/product.yml | 2 ++
products/sle12/product.yml | 2 ++
products/sle15/product.yml | 1 +
products/ubuntu1604/product.yml | 1 +
products/ubuntu1804/product.yml | 1 +
products/ubuntu2004/product.yml | 1 +
ssg/constants.py | 1 +
ssg/products.py | 4 ++++
tests/shared/grub2.sh | 10 +++++---
17 files changed, 50 insertions(+), 47 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
index 8545e8ab2c7..7950c15a848 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
@@ -1,26 +1,20 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="grub2_uefi_admin_username" version="1">
{{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}}
<criteria operator="OR">
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_bootloader_uefi_unique_superuser"/>
</criteria>
</definition>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}. Superuser is not root, admin, or administrator" id="test_bootloader_uefi_unique_superuser" version="1">
<ind:object object_ref="object_bootloader_uefi_unique_superuser" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 8a98cbdc95f..128d7cc1cb8 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
+ <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 230aab73139..a67c8ad99bb 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -1,32 +1,26 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="grub2_uefi_password" version="1">
{{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
<criteria operator="OR">
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
<criteria operator="AND">
<criteria comment="check both files to account for procedure change in documenation" operator="OR">
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
- <criterion comment="make sure a password is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+ <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
</criteria>
- <criterion comment="make sure a superuser is defined in {{{ grub_cfg_prefix }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
+ <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
</criteria>
</criteria>
</definition>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub_cfg_prefix + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}." id="test_bootloader_uefi_superuser" version="2">
<ind:object object_ref="object_bootloader_uefi_superuser" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -35,7 +29,7 @@
<ind:object object_ref="object_grub2_uefi_password_usercfg" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_grub2_uefi_password_usercfg" version="1">
- <ind:filepath>{{{ grub_cfg_prefix }}}/user.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/user.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -44,7 +38,7 @@
<ind:object object_ref="object_grub2_uefi_password_grubcfg" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
- <ind:filepath>{{{ grub_cfg_prefix }}}/grub.cfg</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index cb0d60c3ddf..cc68441e5ad 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -31,10 +31,8 @@ description: |-
<tt>grub.cfg</tt> file by running:
{{% if "ubuntu" in product %}}
<pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o /boot/efi/EFI/sles/grub.cfg</pre>
{{% else %}}
- <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre>
+ <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
{{% endif %}}
rationale: |-
@@ -91,18 +89,18 @@ ocil: |-
To verify the boot loader superuser account password has been set,
and the password encrypted, run the following command:
{{% if product in ["sle12", "sle15"] %}}
- <pre>sudo cat /boot/efi/EFI/sles/grub.cfg</pre>
+ <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should be similar to:
<pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
{{% elif "ubuntu" in product %}}
- <pre>grep -i password /boot/grub/grub.cfg</pre>
+ <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should contain something similar to:
<pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
{{% else %}}
- <pre>sudo cat /boot/efi/EFI/redhat/user.cfg</pre>
+ <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
The output should be similar to:
<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
index 72872d907e3..89a9fae86ec 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/oval/shared.xml
@@ -1,27 +1,21 @@
-{{% if product == "fedora" %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-{{% else %}}
-{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-{{% endif %}}
-
<def-group>
<definition class="compliance" id="uefi_no_removeable_media" version="1">
{{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
<criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
- <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
- {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+ <criterion comment="Check the set root in {{{ grub2_uefi_boot_path + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
+ {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
+ comment="tests the value of set root setting in the {{{ grub2_uefi_boot_path + "/grub.cfg" }}} file"
id="test_uefi_no_removeable_media" version="1">
<ind:object object_ref="obj_uefi_no_removeable_media" />
<ind:state state_ref="state_uefi_no_removeable_media" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
- <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+ <ind:filepath>{{{ grub2_uefi_boot_path + "/grub.cfg" }}}</ind:filepath>
<ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
@@ -30,5 +24,5 @@
<ind:subexpression datatype="string" operation="pattern match">^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$</ind:subexpression>
</ind:textfilecontent54_state>
- {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+ {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
</def-group>
diff --git a/products/fedora/product.yml b/products/fedora/product.yml
index 0cb53c5331e..ea8e98eea78 100644
--- a/products/fedora/product.yml
+++ b/products/fedora/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
init_system: "systemd"
+grub2_boot_path: "/boot/grub2"
+
dconf_gdm_dir: "distro.d"
cpes_root: "../../shared/applicability"
diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
index fb5d17786da..6438797f218 100644
--- a/products/rhel7/product.yml
+++ b/products/rhel7/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
cpes_root: "../../shared/applicability"
cpes:
- rhel7:
diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
index 78c987b2457..f6d2102558d 100644
--- a/products/rhel8/product.yml
+++ b/products/rhel8/product.yml
@@ -20,6 +20,8 @@ release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
oval_feed_url: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
+
cpes_root: "../../shared/applicability"
cpes:
- rhel8:
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 4ceb332adf3..6b5a15d5cee 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -10,6 +10,8 @@ pkg_manager: "dnf"
init_system: "systemd"
+grub2_boot_path: "/boot/grub2"
+
dconf_gdm_dir: "distro.d"
# The fingerprints below are retrieved from https://access.redhat.com/security/team/key
diff --git a/products/sle12/product.yml b/products/sle12/product.yml
index d1301a17f91..b9e44e0725c 100644
--- a/products/sle12/product.yml
+++ b/products/sle12/product.yml
@@ -12,6 +12,8 @@ pkg_manager: "zypper"
pkg_manager_config_file: "/etc/zypp/zypp.conf"
oval_feed_url: "https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml"
+grub2_uefi_boot_path: "/boot/efi/EFI/sles"
+
cpes_root: "../../shared/applicability"
cpes:
- sle12-server:
diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
index 827a875d493..36ec98397f6 100644
--- a/products/ubuntu1604/product.yml
+++ b/products/ubuntu1604/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
index 68922441a2a..f1671b8d7dd 100644
--- a/products/ubuntu1804/product.yml
+++ b/products/ubuntu1804/product.yml
@@ -11,6 +11,7 @@ pkg_manager: "apt_get"
init_system: "systemd"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
index 15565b6748f..d75624d70a3 100644
--- a/products/ubuntu2004/product.yml
+++ b/products/ubuntu2004/product.yml
@@ -12,6 +12,7 @@ init_system: "systemd"
oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.focal.cve.oval.xml"
grub2_boot_path: "/boot/grub"
+grub2_uefi_boot_path: "/boot/efi/EFI/ubuntu"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/ssg/constants.py b/ssg/constants.py
index 666d7a4d3c8..f9c978a22a2 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -383,4 +383,5 @@
# Application constants
DEFAULT_UID_MIN = 1000
DEFAULT_GRUB2_BOOT_PATH = '/boot/grub2'
+DEFAULT_GRUB2_UEFI_BOOT_PATH = '/boot/grub2'
DEFAULT_DCONF_GDM_DIR = 'gdm.d'
diff --git a/ssg/products.py b/ssg/products.py
index 25178b741b2..fb55f5c2f4b 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -9,6 +9,7 @@
from .constants import (product_directories,
DEFAULT_UID_MIN,
DEFAULT_GRUB2_BOOT_PATH,
+ DEFAULT_GRUB2_UEFI_BOOT_PATH,
DEFAULT_DCONF_GDM_DIR,
PKG_MANAGER_TO_SYSTEM,
PKG_MANAGER_TO_CONFIG_FILE,
@@ -48,6 +49,9 @@ def _get_implied_properties(existing_properties):
if "grub2_boot_path" not in existing_properties:
result["grub2_boot_path"] = DEFAULT_GRUB2_BOOT_PATH
+ if "grub2_uefi_boot_path" not in existing_properties:
+ result["grub2_uefi_boot_path"] = DEFAULT_GRUB2_UEFI_BOOT_PATH
+
if "dconf_gdm_dir" not in existing_properties:
result["dconf_gdm_dir"] = DEFAULT_DCONF_GDM_DIR
diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
index bce7683a7c1..f024b3766cf 100644
--- a/tests/shared/grub2.sh
+++ b/tests/shared/grub2.sh
@@ -2,9 +2,13 @@ test -n "$GRUB_CFG_ROOT" || GRUB_CFG_ROOT=/boot/grub2
function set_grub_uefi_root {
if grep NAME /etc/os-release | grep -iq fedora; then
- GRUB_CFG_ROOT=/boot/efi/EFI/fedora
- else
- GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+ GRUB_CFG_ROOT=/boot/grub2
+ elif grep NAME /etc/os-release | grep -iq "Red Hat"; then
+ if grep VERSION /etc/os-release | grep -q '9\.0'; then
+ GRUB_CFG_ROOT=/boot/grub2
+ else
+ GRUB_CFG_ROOT=/boot/efi/EFI/redhat
+ fi
fi
}
From a838226fc6b082ab73990613294328db49463c2b Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 5 Aug 2021 17:59:39 +0200
Subject: [PATCH 4/5] Add the sshd directory configuration rule
Remediations of other sshd rules assumes that sshd is configured using
multiple files as opposed to one huge file, and this rule
makes sure that the assumption is guarded.
---
controls/anssi.yml | 3 +++
products/rhel9/profiles/cis.profile | 2 ++
products/rhel9/profiles/cjis.profile | 1 +
products/rhel9/profiles/e8.profile | 1 +
products/rhel9/profiles/hipaa.profile | 1 +
products/rhel9/profiles/ism_o.profile | 1 +
products/rhel9/profiles/ospp.profile | 1 +
products/rhel9/profiles/pci-dss.profile | 1 +
products/rhel9/profiles/rht-ccp.profile | 1 +
9 files changed, 12 insertions(+)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 7737e67ea51..eee79cf1ef7 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -384,6 +384,9 @@ controls:
- package_sudo_installed
- audit_rules_privileged_commands_sudo
+ # This rule should be present in the profile at least once
+ - sshd_use_directory_configuration
+
- id: R20
levels:
- enhanced
diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
index 622f88e3766..8d7816e5e2d 100644
--- a/products/rhel9/profiles/cis.profile
+++ b/products/rhel9/profiles/cis.profile
@@ -791,6 +791,8 @@ selections:
- file_permissions_sshd_pub_key
# TO DO: check owner of pub keys in /etc/ssh is root:root
+ # Ensure that the configuration is done the right way
+ - sshd_use_directory_configuration
### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
- sshd_set_loglevel_info
diff --git a/products/rhel9/profiles/cjis.profile b/products/rhel9/profiles/cjis.profile
index b45ba19d84f..0aaf7cb0206 100644
--- a/products/rhel9/profiles/cjis.profile
+++ b/products/rhel9/profiles/cjis.profile
@@ -98,6 +98,7 @@ selections:
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
+ - sshd_use_directory_configuration
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
diff --git a/products/rhel9/profiles/e8.profile b/products/rhel9/profiles/e8.profile
index 6d87a778eee..3851255ccec 100644
--- a/products/rhel9/profiles/e8.profile
+++ b/products/rhel9/profiles/e8.profile
@@ -126,6 +126,7 @@ selections:
- audit_rules_kernel_module_loading
### Secure access
+ - sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_disable_gssapi_auth
- sshd_print_last_log
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
index 797c62708e2..d1dc18ba33c 100644
--- a/products/rhel9/profiles/hipaa.profile
+++ b/products/rhel9/profiles/hipaa.profile
@@ -39,6 +39,7 @@ selections:
- dconf_db_up_to_date
- dconf_gnome_remote_access_credential_prompt
- dconf_gnome_remote_access_encryption
+ - sshd_use_directory_configuration
- sshd_disable_empty_passwords
- sshd_disable_root_login
- libreswan_approved_tunnels
diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile
index 82e863ad3d3..6fc919da128 100644
--- a/products/rhel9/profiles/ism_o.profile
+++ b/products/rhel9/profiles/ism_o.profile
@@ -56,6 +56,7 @@ selections:
## Authentication hardening
## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560
## 1561 / 1546 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431
+ - sshd_use_directory_configuration
- sshd_max_auth_tries_value=5
- disable_host_auth
- require_emergency_target_auth
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index adec0cbd774..08ffcccd9e2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -58,6 +58,7 @@ selections:
### Services
# sshd
+ - sshd_use_directory_configuration
- sshd_disable_root_login
- sshd_enable_strictmodes
- disable_host_auth
diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile
index 1fe85d39ae0..bd16dc97721 100644
--- a/products/rhel9/profiles/pci-dss.profile
+++ b/products/rhel9/profiles/pci-dss.profile
@@ -105,6 +105,7 @@ selections:
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_lock_enabled
- dconf_gnome_screensaver_mode_blank
+ - sshd_use_directory_configuration
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
- accounts_password_pam_minlen
diff --git a/products/rhel9/profiles/rht-ccp.profile b/products/rhel9/profiles/rht-ccp.profile
index e1d9a70b493..8576975aa54 100644
--- a/products/rhel9/profiles/rht-ccp.profile
+++ b/products/rhel9/profiles/rht-ccp.profile
@@ -87,6 +87,7 @@ selections:
- service_telnet_disabled
- package_telnet-server_removed
- package_telnet_removed
+ - sshd_use_directory_configuration
- sshd_allow_only_protocol2
- sshd_set_idle_timeout
- var_sshd_set_keepalive=0
From 470e496f8335c0d017bc82646537b03947b71941 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 11 Aug 2021 16:43:00 +0200
Subject: [PATCH 5/5] Reflect fusion of rhel9 packages
Packages dnf-plugin-subscription-manager and subscription-manager are
merged to subscription-manager in RHEL9 - see
https://bugzilla.redhat.com/show_bug.cgi?id=1847910#c2
---
.../rule.yml | 3 +--
.../package_subscription-manager_installed/rule.yml | 9 ++++++++-
products/rhel9/profiles/ospp.profile | 1 -
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 4f49b3b825d..8b6577226fb 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel8,rhel9
+prodtype: rhel8
title: 'Install dnf-plugin-subscription-manager Package'
@@ -17,7 +17,6 @@ severity: medium
identifiers:
cce@rhel8: CCE-82315-3
- cce@rhel9: CCE-89879-1
references:
ism: 0940,1144,1467,1472,1483,1493,1494,1495
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
index b90a7588270..32e5ce9a129 100644
--- a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
@@ -12,7 +12,14 @@ rationale: |-
and subscriptions on a local system to help manage subscription assignments.
It communicates with the backend subscription service (the Customer Portal
or an on-premise server such as Subscription Asset Manager) and works with
- content management tools such as yum.
+ content management tools such as {{{ package_manager }}}.
+
+ {{% if product in ["rhel9"] %}}
+ The package provides, among other things, {{{ package_manager }}} plugins
+ to interact with repositories and subscriptions
+ from the Red Hat entitlement platform - the subscription-manager and
+ product-id plugins.
+ {{% endif %}}
severity: medium
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 08ffcccd9e2..1b060c7bf07 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -178,7 +178,6 @@ selections:
- package_aide_installed
- package_dnf-automatic_installed
- package_subscription-manager_installed
- - package_dnf-plugin-subscription-manager_installed
- package_firewalld_installed
- package_openscap-scanner_installed
- package_policycoreutils_installed

29
scap-security-guide-0.1.58-zipl_remediation_applicability-PR_7458.patch
View File

@ -1,29 +0,0 @@
From d1c2810ca3ba0cea44cc70db34eb80e313408cb5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 25 Aug 2021 10:59:11 +0200
Subject: [PATCH] Remove package applicability from s390x_arch generated
remediations.
This makes sure that there will be no package applicability check in the
remediations of rules that use the s390x_arch platform applicability,
since the check is made by checking a line in file instead. At this
moment the build system does not allow doing such checks. The side
effect is that Bash and Ansible roles will apply this remediation even
on a system that is not s390_arch, so using OpenSCAP scanner is highly
recommended.
---
ssg/constants.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssg/constants.py b/ssg/constants.py
index 9bb4e1b5f4..adb76bfa8f 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -353,6 +353,7 @@
"uefi": None,
"non-uefi": None,
"not_s390x_arch": None,
+ "s390x_arch": None,
}
# _version_name_map = {

68
scap-security-guide-0.1.59-vm_timeout-PR_7780.patch Normal file
View File

@ -0,0 +1,68 @@
From e1408da0fb0224e64037bc693d262374795bf9a4 Mon Sep 17 00:00:00 2001
From: Matus Marhefka <mmarhefk@redhat.com>
Date: Wed, 20 Oct 2021 09:03:59 +0200
Subject: [PATCH] tests/install_vm.py: add timeouted wait for VM to shutdown
Added timeout should prevent issues where a VM is still in
the `running` state after `virsh console` disconnects and
therefore subsequent `virsh start` fails, e.g.:
```
Starting Reboot...
dracut Warning: Killing all remaining processes
Rebooting.
[ 522.430163] reboot: Restarting system
error: Domain is already active
```
---
tests/install_vm.py | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/tests/install_vm.py b/tests/install_vm.py
index 6a51477a289..59ffc499587 100755
--- a/tests/install_vm.py
+++ b/tests/install_vm.py
@@ -4,6 +4,7 @@
import os
import sys
import subprocess
+import time
def parse_args():
@@ -110,6 +111,25 @@ def parse_args():
return parser.parse_args()
+def wait_vm_not_running(domain):
+ timeout = 300
+
+ print("Waiting for {0} VM to shutdown (max. {1}s)".format(domain, timeout))
+ end_time = time.time() + timeout
+ try:
+ while True:
+ time.sleep(5)
+ if subprocess.getoutput("virsh domstate {0}".format(domain)).rstrip() != "running":
+ return
+ if time.time() >= end_time:
+ print("Timeout reached: {0} VM failed to shutdown, cancelling wait."
+ .format(domain))
+ return
+ except KeyboardInterrupt:
+ print("Interrupted, cancelling wait.")
+ return
+
+
def main():
data = parse_args()
username = ""
@@ -210,6 +230,7 @@ def main():
os.system(command)
if data.console:
os.system("unbuffer virsh console {0}".format(data.domain))
+ wait_vm_not_running(data.domain)
os.system("virsh start {0}".format(data.domain))
print("\nTo determine the IP address of the {0} VM use:".format(data.domain))

25
scap-security-guide.spec
View File

@ -4,28 +4,16 @@
%global _vpath_builddir build
Name: scap-security-guide
Version: 0.1.57
Release: 5%{?dist}
Version: 0.1.58
Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
BuildArch: noarch
Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
Patch1: scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
Patch2: scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch
Patch3: scap-security-guide-0.1.58-various_fixes-PR_7335.patch
Patch4: scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch
Patch5: scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch
Patch6: scap-security-guide-0.1.58-s390x_arch-PR_7385.patch
Patch7: scap-security-guide-0.1.58-ism_ks-PR_7392.patch
Patch8: scap-security-guide-0.1.58-cis_def-PR_6976.patch
Patch9: scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch
Patch10: scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch
Patch11: scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch
Patch12: scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch
Patch13: scap-security-guide-0.1.58-zipl_remediation_applicability-PR_7458.patch
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.59-vm_timeout-PR_7780.patch
BuildRequires: libxslt
BuildRequires: expat
@ -112,6 +100,11 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif
%changelog
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
- Rebase to a new upstream release (RHBZ#2014561)
- Disable profiles that we disable in RHEL8
- Add a VM wait handling to fix issues with tests.
* Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Fix remediations applicability of zipl rules
Resolves: rhbz#1996847

2
sources
View File

@ -1 +1 @@
SHA512 (scap-security-guide-0.1.57.tar.bz2) = e0f030445cc8c629f94be156581a3732abb104e2e5a57a92c64e7fa168b2107e60ee8edfcf8d715c339180317f09378317d031d575673b5384f16208528d66a2
SHA512 (scap-security-guide-0.1.58.tar.bz2) = 656d959d9e92f1b857afdd25fdb3eb2918630a0ffe34b90ffe3939124410c6d0e655d71b10c99f6ff35090a086ac7bd57acdc1d55822e472f09f160704f1a7d7